Log4j Vulnerability Update

Hi Sonatype Community,

On Friday, the internet was set on fire with news of the extremely widespread Log4j vulnerability and quick mass scanning efforts to exploit it by bad actors. Almost no organization is unaffected.

We wanted to let you know that Sonatype products do not use log4j-core. This means our software, including Nexus Lifecycle, Nexus Firewall, Nexus Repository Manager OSS, and Nexus Repository Manager Pro in versions 2.x and 3.x, is NOT affected by CVE-2021-44228. We still advise keeping your software upgraded at the latest version.

We are actively monitoring these issues and updating our blog; however, we also wanted to provide a product-specific breakdown to help answer your questions which can be found on our Help site.

Unsure if your organization is impacted? See our Find & Fix Log4j guide for help as you investigate your applications and environments for this vulnerability.

Explore the very latest findings around the Log4shell vulnerability in our resource center.

If you have any additional questions about this, we are happy to answer them in the thread below.

More information about this ongoing situation can also be found on the Sonatype Blog.

2 Likes

Please have someone update the Download link. It still points to 2.14.20. Had to go through the download archive instead -Download Archives - Repository Manager 2

Hi @l.q, thanks so much. I will pass this along for someone to take a look and let you know when it’s updated.

Hi @mharwood, is there any recommendation for Sonatype Nexus OSS version 1.9.2.2 log4j vulnerability. I can see CVE-2019-17571 and CVE-2021-4104 vulnerability reported for log4j1.2.x for this platform.
Thanks

Hi @banti.dutta41 and welcome! - We always recommend upgrading to the most recent version available. Please check the Download page for the latest available version. This page may be of help as well: https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories

Which version of nexus repository are you using? I believe you are seeing a false-positive. Our products do not use log4j but logback and are not vulnerable to any log4j CVEs.

Hi @mmartz . Thank you for your response.
We are currently using Nexus OSS 1.9.2.2 on-prem

You can download from here Download Archives - Repository Manager OSS
Vulnerable component ie.log4j-1.2.14.jar can be found in the location nexus-oss-webapp-1.9.2.2-bundle.zip\nexus-oss-webapp-1.9.2.2\runtime\apps\nexus\lib\log4j-1.2.14.jar

Previously I guess nexus war file was provided on download site but war generation was stopped later years.

Please confirm if its false positive?

Sure that would be plan. But can you confirm if its false positive or if we need immediate upgrade.

We typically always recommend upgrading to the most recent version available. Here, you can find a list of important advisories of known security vulnerabilities in Sonatype products: https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories?page=2#articles

I believe the 1.x line actually uses log4j not logback. Based on Log4j – Apache Log4j Security Vulnerabilities I believe that it’s not vulnerable as it’s the 1.x line of log4j not the 2.x line. I’d still recommend upgrading as soon as practical as it’s entirely possible that there are many other vulnerabilities in software that old.

@mharwood & @mmartz thanks for your input.

but for 1.x there are two vulnerable

  1. CVE-2021-4104 ( Base Score:7.5 HIGH) NVD - CVE-2021-4104
  2. CVE-2019-17571 (Base Score:9.8 CRITICAL) NVD - CVE-2019-17571

can you share the link and steps to address the above issue ?

please share the link for upgrading the 1.x nexus to 3.x.

Hi @shyamaspari and welcome!

I believe this thread would be a good place to start for upgrading the 1.x to 3.x: How to migrate Nexus repository from 1.7 to 3.x?

Thanks, @mharwood for sharing the upgrade process.

We have added the upgraded plane being there are a couple of ongoing works this upgrade may take some more time to execute.

Can you please provide the required mitigation for the above two CVE and their impact on the current version we are using? and any mitigation we can do to fix it for now.

Thanks

I will try and get some more info for you, @shyamaspari but I believe the biggest recommendation is to upgrade as soon as you can.