In March, a researcher from Twistlock contacted us about two issues he identified, stemming from user access settings. As with any disclosure, we immediately looked into it.
The disclosure was questioning the long standing ability to allow a repository to provide anonymous access for reading artifacts. Since this wasn't a new capability and because it affects common and legitimate use cases, we did not view this as a zero-day vulnerability requiring merely a technical fix. Instead, we decided to approach this as a product feature UX change to make it easier for users to be more secure.
The majority of repository managers are deployed inside a firewall and intentionally configured to allow anonymous access for sharing artifacts. This is a useful capability to provide organizations who choose to do so.
Obviously providing wide open read access on the public Internet should be carefully considered, but as you see with many public forges, that ability to serve common artifacts without requiring a user to sign up, is critically important.
While we disagreed with the assessment that anonymous access should be completely removed from the product, we agreed that more could be done to require a definitive choice to enable Anonymous access during initial setup. We addressed this as quickly as possible with a rolling fix - one in our 3.16.2 product release and one in our most recent update which is 3.17.
As we always do, we do want to emphasize the importance of upgrading to the latest version of Sonatype Nexus Repository. In this case, we additionally ask that organizations re-review if their use of anonymous read access is appropriate for their use case.
.jpg?width=150&height=150&name=fox-2016-1-sq%20(1).jpg)
Brian Fox, CTO and co-founder of Sonatype, is a Governing Board Member for the Open Source Security Foundation (OpenSSF), a Governing Board Member for the Fintech Open Source Foundation (FINOS), a member of the Monetary Authority of Singapore Cyber and Technology Resilience Experts (CTREX) Panel, a member of the Apache Software Foundation and former Chair of the Apache Maven project. Working with OpenSSF, Brian helped create The Open Source Consumption Manifesto, urging organizations to elevate awareness of open source usage. He also chaired efforts to provide official responses to requests for information from the The Office of the National Cybersecurity Directorate (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA). Within the Atlantic Council's Open Source Policy Network, Brian actively helps shape cybersecurity strategy, offering valuable insights on critical documents, such as ONCD's recent National Cyber Security Strategy. Brian has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other security and development-related conferences.
Explore All Posts by Brian FoxTags
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.