Nexus Repository 3.37.2 Released

We are pleased to announce Nexus Repository 3.37.2 with New Log4j Visualizer!

What’s New and Noteworthy?

In response to the recently reported vulnerability in Apache’s “Log4j2” logging utility (CVE-2021-44228, also known as “log4shell”), Sonatype is providing a Log4j Visualizer for a limited time to all Nexus Repository OSS and Pro users. The Log4j Visualizer will provide insight into Maven log4j component downloads impacted by CVE-2021-44228 in your organization.

What is the New Log4j Visualizer?

As we detailed in our blog and are still monitoring in our Log4j Vulnerability Resource Center, vulnerability researchers uncovered a critical vulnerability in Apache’s “Log4j2” logging utility (CVE-2021-44228, also known as “log4shell”). In an effort to help the global software community defend themselves against this threat, we are providing a Log4j Visualizer to all Nexus Repository OSS and Pro users to allow greater visibility into Maven log4j component downloads.

The visualizer looks at your request logs to show you information about Maven log4j component downloads in your organization, including the number of times someone has downloaded a log4j component impacted by CVE-2021-44228 by repository, username, and IP address.

This is a temporary feature currently limited to only identifying components impacted by CVE-2021-44228, and we may modify or remove it completely in future releases. Note that enabling the capability may impact Nexus Repository performance. Also note that the Log4j Visualizer only captures information about the log4j-core component in Maven and only identifies those impacted by CVE-2021-44228. It does not currently identify or track other log4j vulnerabilities.

How can Nexus Repository users enable this new feature?

You can enable the capability from a message that will appear upon upgrading or from Nexus Repository’s capabilities section. Learn more in our Log4j Visualizer documentation.

Cheers!
Nexus Repository Team

1 Like