Sonatype Nexus Repository Manager Remote Code Execution Vulnerability Advisory

we have seen a notification saying as below:

Date: February 5, 2019

Affected Versions: Nexus Repository Manager 3.6.2 OSS/Pro versions up to and including 3.14.0

Fixed in Version: Nexus Repository Manager OSS/Pro version 3.15.0

CVE-2019-7238 Summary

Insufficient access controls have been discovered in Nexus Repository Manager 3 which allow remote code execution.

An unauthenticated user can craft requests in such a manner that can execute java code on the server. We have mitigated the issue by adding the necessary access controls as well as disabling the ability to execute arbitrary java code via this path. This advisory provides the pertinent information needed to properly address this vulnerability, along with the details on how to reach us if you have any further questions or concerns.

This vulnerability was identified by external researchers and has been verified by our security team. We are not aware of any active exploits taking advantage of this issue. However, we strongly encourage all users of NXRM to immediately take the steps outlined in this advisory.

As the identified vulnerability allows an unauthenticated attacker to run arbitrary java code on the system, we are highly recommending all instances of NXRM be upgraded to 3.15 or later.

The vulnerability associated with this advisory is fixed in NXRM 3.15 and above. The latest version of NXRM 3.x can be downloaded from:

Current Nexus version ,we have : Nexus Pro 2.14.8

Please let us know if this vulnerability applicable to our version of Nexus Repository manager…

Thank you,

HI Team,
Please find the attached System information too…

Thanks for your question. This vulnerability only affects NXRM 3.x instances, so no, Nexus Pro 2.14.8 is not vulnerable.

On the other hand, 2.14.8 is almost a year old. Multiple vulnerabilities have been discovered, fixed, and announced since it was released. We recommend keeping NXRM instances up to date to avoid being vunerable to old problems.

Please review:

Yes,we are planning to upgrade to latest version in 2.x : 2.14.11 in next few days…
Thank you for your response…