Sonatype Nexus Security Advisory - REST API Vulnerability
Date: March 3, 2014
Affected Versions: Nexus OSS/Pro versions from 2.4.0 to 2.7.1
Fixed in Version: Nexus OSS/Pro version 2.7.2-03
A critical security vulnerability has been discovered in Nexus requiring immediate action. The vulnerability makes use of an unauthenticated execution path that allows for the creation of user accounts. We have now added a mitigating control in the latest release and with patches available for prior affected releases. This advisory provides the pertinent information needed to properly address this vulnerability, along with the details on how to reach us if you have any further questions or concerns.
This vulnerability was identified by an external researcher and has been verified by our security team. We are not aware of any active exploits taking advantage of this issue. However, we strongly encourage all users of Nexus to immediately take the steps outlined in this advisory and we recommend the Nexus administrator validate all existing user accounts.
The identified vulnerability can allow an attacker to escalate a session, granting administrative privileges in the running Nexus instance without requiring user authentication. We are highly recommending all instances of Nexus that are run affected versions (i.e. 2.4.0 through 2.7.1) either upgrade to Nexus 2.7.2 or have the patch detailed in this advisory applied.
We are taking steps to mitigate this vulnerability in public forge instances and are also providing remediation guidance to the overall Nexus user community. We are also coordinating with NIST as part of the vulnerability disclosure process and further details will become publicly available as soon as that process is complete. The placeholder identifier for this vulnerability is CVE-2014-2034.
The vulnerability associated with this advisory is fixed in Nexus 2.7.2, which can be downloaded from the links below:
For detailed information on upgrade compatibility, please see:
If you want to patch an existing instance to address this vulnerability see below.
Compatibility of Patch:
Specific patches are available for the range of affected versions (2.4.0 - 2.7.1). A single patch version works for both OSS and Pro versions of Nexus.
To install this patch, download the nexus-restlet1x-plugin zip file matching your version of Nexus:
Shut down Nexus
Move $NEXUS_HOME/nexus/WEB-INF/plugin-repository/nexus-restlet1x-plugin-<version> into a separate directory to allow for a rollback if there are any problems with the patch. This MUST NOT be kept in the plugin-repository directory.
Unzip the downloaded nexus-restlet1x-plugin in $NEXUS_HOME/nexus/WEB-INF/plugin-repository
To confirm the patch has been installed correctly, go to "Administration/Plugin Repository" in the UI and make sure the version of the restlet plugin is correct. Note that the name of this plugin will differ depending on which version of Nexus you are running:
- Nexus 2.4.x - "Nexus Restlet 1.x Plugin" version 2.4.0-10
- Nexus 2.5.x - "Restlet 1.x Plugin" version 2.5.1-02
- Nexus 2.6.x - "Nexus Core API (Restlet 1.x Plugin)" version 2.6.4-03
- Nexus 2.7.x - "Nexus Core API (Restlet 1.x Plugin)" version 2.7.2-03
If you run into any problems, or have any questions/concerns, please contact us. You can do this by filing a ticket at https://support.sonatype.com.
Frequently Asked Questions:
Q: What is the risk associated with this vulnerability?
A: Nexus can be compromised, allowing an attacker to create user accounts, including administrative accounts, in any running instance of Nexus without requiring authentication. The attacker created account can then perform any actions based on the privileges granted to that user. For example, administrative accounts have the ability to manipulate the contents of the Nexus repository.
Q: Sonatype recently announced the discovery of another serious vulnerability in Nexus. Why is another vulnerability being announced so soon?
A: Last year Sonatype established a program that engages the white hat community (“ethical hackers”) in proactive security research associated with our product and service offerings. We have also increased our own level of investment in application security. The combination of these factors has led to more rigorous practices around the application security of our products, ultimately leading greater levels of security and reduced operational risk for customers. While such disclosures can be challenging for users, this proactive approach ensures the greatest chance of avoiding potentially malicious attacks. We will always strive to handle these situations as diligently and as expeditiously as possible.
Q: What preconditions must be met in order to be vulnerable?
A: An attacker must have network access to the Nexus instance. Therefore, internet accessible instances of Nexus imply available access by very large audience versus the more limited audience associated with non-internet accessible instances.
Q: Are there implications associated with this advisory itself?
A: Disclosure unfortunately means bad actors may try to take advantage. While we have initially limited the information to the minimum details necessary for users to affect an appropriate fix, this merely slows down a would be attacker. As such, we are advising all organizations utilizing Nexus to immediately assess their individual impact and take appropriate action in response.
Q: Where can I obtain more information associated with the vulnerability?
A: Sonatype will be releasing details of this vulnerability as part of a standard CVE disclosure process. At this time, and in the interest of best protecting our user community, we are limiting the information released to that absolutely required in order to assess impact and affect remediation.
Q: Why is Sonatype making this information available?
A: This is part of a responsible disclosure process. Given Nexus is an open source project used by over 20,000 organizations worldwide, notifying the user base will invariably lead to broad dissemination. We are taking a concerted and proactive approach in our outreach activities and an effort to achieve the most rapid remediation possible.
Q: How can I be sure I am notified of new advisories in the future?
A: Sonatype periodically publishes vulnerability announcements for popular components as part of our CLM security research. Any notable alerts on Sonatype products will also be published to this list. You may subscribe to this low volume advisory list here: http://www.sonatype.org/advisories/subscribe/