Security vulnerabilities in open source software are a fact of life. Sonatype has extensive automated monitoring systems in place designed to discover zero days prior to their public disclosure.
We recently became aware of a vulnerability in plexus-archiver, a component widely used by Apache Maven and related plugins. A maliciously crafted compressed file (zip, gz, etc), can contain files that when extracted to disk, can traverse the file system potentially leading to escalated attacks. This happens when the files in the archive use paths like ../../. Plexus would unpack these files using the relative path without restricting the output only to the desired location.
Fortunately, in typical operation, Maven doesn't unpack the components it processes, so the vast majority of usage is unaffected. Additionally, an attacker would have to both create and share the malicious archive, and then get a victim to use that archive for unpacking...again where most archives aren't intended to be unpacked. Considering OS level permissions to write a file outside the intended path structure contained within the archive, this is a fairly long kill chain of unlikely events.
Sonatype has provided The Central Repository for over a decade and we take security of the users very seriously. Once we became aware of the vulnerability, our first thoughts were to ensure Central wasn't being used now, or in the future, to deliver payloads for this exploit.
The analysis phase required the investigation of components containing well over 8 billion individual file paths. In the process, we found that it is fairly common for components to include one level of directory traversal (e.g ../xxx), but exceedingly rare to see anything deeper than this. We found many “interesting” file paths but did not find any malicious file paths in the existing content.
To protect against copy-cat exploits down the road, we have taken steps to monitor, detect and block components in the future, which may include directory traversal attacks in their paths.
Not only are Sonatype's roots in open source, but we take our jobs as providers and caretakers of Central seriously. We believe in doing right by the community, making a difference where we can, and leaving things better than we found them. And, will continue to put processes in place to ensure our users never slip and fall.
.jpg)