A cybersecurity researcher has raised a series of alarms about vulnerabilities affecting Maven repository administrators, a widely used tool in building and managing Java projects. This expert, with years of experience in breaching Java application security, had discovered a vulnerability in 2019 that allows arbitrary file reading on search.maven.org, the platform associated with Maven Central, the main source of Java libraries for many tech companies. Access to Maven Central and the ability to replace popular libraries could give an attacker direct access to critical systems in almost any company using Java.
During his research, the expert decided to delve into how Maven repositories work and focused on finding weaknesses in various repository managers, which are essential for storing and retrieving these libraries. In his findings, he highlights that Maven artifacts, generally compiled JAR files, can contain arbitrary data, opening the door to serious attacks like remote code execution, especially when repository managers allow the placement of malicious scripts in pom.xml files.
Maven repository managers, such as Sonatype Nexus and JFrog Artifactory, although robust, pose inherent risks when allowing users to download and execute artifacts. The researcher identified several vulnerabilities, such as stored XSS attacks that can exploit this mechanism to execute scripts in the context of a user’s browser with administrative access to the interface.
Furthermore, his study found a technique known as “name confusion,” which attackers can use to create files within repositories with arbitrary names and potentially poison commonly used artifacts in the industry. The most concerning cases include the possibility of serving malicious artifacts to users, running under the trust placed in commonly used libraries.
The researcher also warned about the use of repository proxies in in-house situations, where many companies choose to manage their own Maven repositories. While this practice offers benefits such as reducing bandwidth consumption and enhancing security, it can also result in an expanded attack surface. When these repositories are configured to act as proxies for external libraries, they may be vulnerable to attacks if proper controls are not in place.
In conclusion, the study emphasizes the importance of reinforcing security in Maven repository managers, not only through patches and improvements in existing tools, but also by fostering a proactive security culture among developers who rely on these libraries. The research was presented at the Ekoparty security conference, sparking critical discussion on best development practices in an ecosystem where library and dependency management is crucial. With these revelations, efforts are expected to intensify to secure the supply of these vital development tools in today’s technological landscape.
via: MiMub in Spanish
