This article lists mitigation options for Sonatype Repository Nexus 3 Vulnerability CVE-2024-4956.
Option 1: Edit Sonatype Nexus Repository jetty.xml
- For each instance of Sonatype Nexus Repository in the affected version range 3.0.0 to 3.68.0, edit
(installdir)/etc/jetty/jetty.xml
and remove this one line from the file:<Set name="resourceBase"><Property name="karaf.base"/>/public</Set>
- Restart Sonatype Nexus Repository for the change to have effect.
- Verify the change has taken effect by making a request from a private browser window (bypassing browser caching) for the robots.txt file:
Example: https://repo.example.com/robots.txt
If the response indicates the file is Error 404 Not Found, then the change is effective.
Note
This change prevents exploiting the vulnerability, but also prevents the application from loading files from the (installdir)/public
directory which includes:
favicon.ico
favicon-16x16.png
favicon-32x32.png
mstile-70x70.png
mstile-144x144.png
mstile-150x150.png
mstile-310x150.png
mstile-310x310.png
OSS-LICENSE.html
PRO-LICENSE.html
robots.txt
safari-pinned-tab.svg
apple-touch-icon.png
browserconfig.xml
COPYRIGHT.html
The side effects may result in mild UI rendering issues that do not affect core product functions.
After upgrading to a version where this vulnerability is fixed, the line that was removed in this instruction is no longer necessary or included.
Option 2: AWS WAF Core Rule Set - GenericLFI_URIPATH
If access to Nexus Repository is protected by AWS WAF rules, then the GenericLFI_URIPATH rule can protect against this vulnerability.
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html
Download How to protect with AWS WAF PDF
How to Verify Protection when using AWS WAF
Sonatype will not be publishing the steps to exploit our software. Sonatype has confirmed that if properly applied the GenericLFI_URIPATH rule does protect against this exploit.
The verification steps to test that Option 1 is applied do not apply to Option 2.