Urgent: Sonatype Nexus Repository 3.68.1 Released

Sonatype Nexus Repository 3.68.1 fixes a critical vulnerability impacting all Sonatype Nexus Repository 3 deployments. All Sonatype Nexus Repository 3 Pro and OSS customers should upgrade to 3.68.1 as soon as possible.

While there are no known active exploits, this vulnerability could allow a specially crafted URL to return any file as a download, including system files outside of Nexus Repository application scope. See our CVE-2024-4956 KB article for full details. The Nexus Repository 3.68.0 - 3.68.1 Release Notes are also available.

1 Like

Is there any chance that this critical issue will be properly fixed in a future version? We used the /public directory to store and publicly distribute APT repository keys which are no longer accessible after upgrading to 3.68.1.

What’s the logic behind separate Java 8/11 versions on this release? Looking through my downloads the previous versions didn’t indicate that, which one should we choose?

Previous version examples with no indicated Java version:
nexus-3.64.0-03-unix.tar.gz
nexus-3.62.0-01-unix.tar.gz

Hi @santoniu that issue has been properly fixed. As part of the fix we decided to disable the undocumented feature that allowed you to serve files from /public. Rather than using an undocumented feature, I would like to suggest you explore using Raw (Hosted) repository instead which will give you a lot more control (including RBAC among others).

1 Like

Hi @david.mcdonough
Separate downloads for Java 8 and 11 are to allow our users to gradually upgrade their environments without causing any sudden movements. If your environment if whatever reason limited to run only Java 8 we have the opportunity to continue using our product in that environment. They had to be shipped in two separate downloads because of binary compatibility between the two, as well as some of our installers come with Java VM bundled, so you can make sure you get the right version for your needs. We started offering Java 11 flavour of Nexus Repository starting with 3.67.0 (here are the release notes for that version: Sonatype Nexus Repository 3.67.0 - 3.67.1 Release Notes).

Aside from what Dawid mentions, previously we only supported Java 8 and we did not test using later java versions.

I’m trying to download the new version for testing, and the Windows link appears to be broken. When I click it, it just says “This page is temporarily unavailable - nginx.” I’ve tried Java 8, Java 11, and spot checked other Windows versions back to 3.58.1. I’ve also tried using Firefox and Chrome, as well as with my VPN on and off. All Windows versions show the same behavior. The download links for unix and macOS appear to work properly for me.

Checksum links also do not seem to be updated for new naming. They also throw nginx error message.

There was a problem with some of our infrastructure related to the downloads this morning. I believe it should be resolved now.

1 Like

Seems to be working now, thanks @mmartz!

Sonatype Nexus Repository version 3.68.1-02 is not yet available on the Sonatype Maven Central Repository (Maven Central: org.sonatype.nexus:nexus-repository). Could someone please provide an update on when this version will be published to the Central Repository?