Date: December 8, 2021
Risk: Low
Synopsis: On October 13, 2021, security researcher Rotem Bar (Cider Security) alerted Sonatype of a potential vulnerability in the SaaS version of Sonatype Lift (“Lift SaaS”).
On November 13, 2021, Sonatype released a fix to address the vulnerability.
Support: If you run into any problems or have any questions/concerns, see how to contact us here: Need More Help.
Credit: We appreciate Rotem Bar’s insight, disclosure and patience as we investigated his findings.
Frequently Asked Questions:
Q: Does the vulnerability impact users of Sonatype Lift on-premise offering?
A: No, the vulnerability was limited to Lift SaaS only.
Q: Can you provide more details on the security issue?
A: By exploiting a remote code execution bug in Rubocop, an open source static code analyzer incorporated into Lift SaaS, Lift SaaS could leak an internal AWS token.
Q: What was Sonatype’s response after being alerted to the vulnerability?
A: After being alerted to the potential vulnerability, Sonatype’s security researchers investigated the security issue, confirmed Mr. Bar’s findings, and started work on a fix. Through our investigation, Sonatype also confirmed that the bug could not have been used to gain elevated access without additional secrets as the containers we use are designed to execute third party code and are therefore hardened, isolated and temporary. Further, Sonatype implemented additional security measures to avoid these types of inadvertent disclosures in the future.