<TABLE OF CONTENTS>
As of Friday Dec 10, deep dive research information about CVE-2021-44228 has been published into Sonatype data services. Scans by Nexus Lifecycle of affected components were being reported as of Dec 10.
On Tuesday Dec 14 there was a period of time where Nexus Lifecycle reported the original log4j-core 2.15.0 and 2.16.0 components vulnerable to CVE-2021-44228. This false positive condition was resolved as of approximately Dec 14 8:00 AM EST and our team will be reviewing our processes to help ensure this type of incident does not happen again.
Are Sonatype products vulnerable?
Sonatype uses logback as the default logging solution in our products - not log4j. This means our software including Nexus Lifecycle, Nexus Firewall, Nexus Repository OSS and Nexus Repository Pro in versions 2 and 3 are NOT vulnerable to CVE-2021-44228. We still advise keeping your software upgraded at the latest version.
How can I use Sonatype products to protect me from log4j vulnerabilities?
Sonatype has published a guide that explains how Sonatype products can help find and fix the log4j vulnerability.
What should I do if a Sonatype scan report is detecting a false positive or negative?
First action is to initiate a new scan to verify the issue is reproducible.
A new scan is defined as scanning your binaries with a Nexus Lifecycle integration, performing a scan promotion to the same stage or by using continuous application monitoring.
Re-evaluating an existing application report will not show new data.
Re-evaluating a repository connected with Nexus Firewall will report on affected components already cached inside your repository if a ROOT org policy defines a constraint that detects a Security Vulnerability greater than 9, such as the default Security-Critical policy. Re-evaluating a repository can take some noticeable delay if your repository is large.
If an issue remains after a new scan, please contact Sonatype Support.
How can I stay updated on this issue?
Regular updates, including suggestions on how to mitigate the vulnerability, are being continually posted to our blog at https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild. Please check the blog post regularly.