Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

Anonymous Access In Nexus Repository is Not A Zero-Day Vulnerability

July 02, 2019 By Brian Fox

In March, a researcher from Twistlock contacted us about two issues he identified, stemming from user access settings. As with any disclosure, we immediately looked into it. 

The disclosure was questioning the long standing ability to allow a repository to provide anonymous access for reading artifacts. Since this wasn’t a new capability and because it affects common and legitimate use cases, we did not view this as a zero day vulnerability requiring merely a technical fix. Instead, we decided to approach this as a product feature UX change to make it easier for users to be more secure.

The majority of repository managers are deployed inside a firewall and intentionally configured to allow anonymous access for sharing artifacts. This is a useful capability to provide organizations who choose to do so. 

Obviously providing wide open read access on the public Internet should be carefully considered, but as you see with many public forges, that ability to serve common artifacts without requiring a user to sign up, is critically important.

While we disagreed with the assessment that anonymous access should be completely removed from the product, we agreed that more could be done to require a definitive choice to enable Anonymous access during initial setup. We addressed this as quickly as possible with a rolling fix - one in our 3.16.2 product release and one in our most recent update which is 3.17.

As we always do, we do want to emphasize the importance of upgrading to the latest version of Nexus Repository. In this case, we additionally ask that organizations re-review if their use of anonymous read access is appropriate for their use case.

Tags: Nexus Repository, News and Views, Product

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.