Are you running an instance of Nexus Repository Manager 2.x on Java 7? If so, it’s time to upgrade your JVM to Java 8.
Java 7 was deprecated by Oracle in the spring of 2015. Since then Sonatype has continued to support Java 7-based deployments of Nexus Repository. That time is coming to an end.
It’s the Dependencies
Most modern software development makes extensive use of open source components and Nexus Repository is no exception. Like many large applications, NXRM contains hundreds of open source components - either directly in the product or as transitive dependencies (dependencies of dependencies).
Using open source is a massive productivity boost, but it also presents a lot of surface area for vulnerabilities to creep into applications. At any time, researchers can disclose a vulnerability in a popular open source component and implicate tens of thousands of dependent applications worldwide.
Fortunately, the exposure doesn’t need to last long. We know immediately when a newly disclosed vulnerability affects one of our products because we use Nexus Lifecycle internally.
When Lifecycle notifies us of an open source vulnerability, we can quickly figure out if we’re using the vulnerable functionality and—if so—roll out an updated version of our software with a fix.
What do these fixes look like?
Most of the time, the right way to fix the problem is to upgrade the dependency to a newer, non-vulnerable version. If you’re depending on vulnerable functionality, often this is the only practical way.
Java 8 Requirement
Even though Nexus Repository 2.x is a long-term support version, time doesn’t stand still for its dependencies. The older those dependencies get, the risk of discovering a vulnerability grows.
A clear trend in dependencies is that newer, non-vulnerable versions require Java 8. In other words, the fix to the next CVE may be incompatible with Java 7.
We’ve been doing some fancy footwork to delay this from happening, but that’s getting harder. It may soon be impossible.
Upgrade to Java 8 Now
When the next CVE hits, we will immediately begin working on a fix. We won’t require Java 8 if we don’t have to, but we may not have a choice if a critical dependency upgrade forces our hand.
We don’t publicize serious vulnerabilities before we have fixes, which means you will have no warning. (This is the warning.)
If you haven’t upgraded to Java 8 when that happens, you will have to make a painful decision - hastily upgrade your infrastructure at the same time you’re upgrading NXRM 2, or stay in production with a publicized, exploitable vulnerability.
The time to upgrade is now, before there’s an emergency.
Connect with Us
If you have any questions about the impact of this coming change, how to plan for it, or any other comments, please connect with us at my.sonatype.com.