¡¾Â©¶´Í¨¸æ¡¿Sonatype Nexus Repository 3·¾¶±éÀú©¶´£¨CVE-2024-4956£©

Ðû²¼Ê±¼ä 2024-05-20


Ò»¡¢Â©¶´¸ÅÊö

©¶´Ãû³Æ

  Sonatype   Nexus Repository 3·¾¶±éÀú©¶´

CVE   ID

CVE-2024-4956

©¶´ÀàÐÍ

·¾¶±éÀú

·¢ÏÖʱ¼ä

2024-05-20

©¶´ÆÀ·Ö

7.5

©¶´Æ·¼¶

¸ßΣ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

ÎÞ

ÀûÓÃÄѶÈ

µÍ

Óû§½»»¥

ÎÞ

PoC/EXP

ÒѹûÈ»

ÔÚÒ°ÀûÓÃ

δ·¢ÏÖ

 

Sonatype Nexus Repository 3£¨Í¨³£¼ò³ÆΪNexus3£©ÊÇÒ»¸öÓÉSonatype¿ª·¢µÄ¶ÑÕ»¹ÜÀí¹¤¾ß£¬ÓÃÓÚ¹ÜÀíºÍÍйÜÖÖÖÖÈí¼þ¹¹¼þ£¨ÈçMaven¹¹¼þ¡¢Docker¾µÏñµÈ£©£¬ËüÌṩÁËÒ»ÖÖ¼¯Öл¯µÄ·½Ê½À´´æ´¢¡¢¹ÜÀíºÍ·Ö·¢Èí¼þ¹¹¼þ£¬ÒÔ×ÊÖúÍŶÓЭ×÷ºÍ¹¹½¨×Ô¶¯»¯¡£

2024Äê5ÔÂ20ÈÕ£¬¶«É­Æ½Ì¨¼¯ÍÅVSRC¼à²âµ½Sonatype Nexus Repository 3ÖÐÐÞ¸´ÁËÒ»¸ö·¾¶±éÀú©¶´£¨CVE-2024-4956£©£¬¸Ã©¶´µÄCVSSÆÀ·ÖΪ7.5¡£

Sonatype Nexus Repository 3.0.0 - 3.68.0°æ±¾ÖдæÔÚ·¾¶±éÀú©¶´£¬Î´¾­Éí·ÝÑéÖ¤µÄÍþвÕ߿ɽṹ¶ñÒâURL·ÃÎÊÄ¿±êϵͳÉϵÄÈÎÒâÎļþ£¬°üÂÞNexus Repository Ó¦Ó÷¨Ê½·¶Î§Ö®ÍâµÄϵͳÎļþ£¬ÀÖ³ÉÀûÓø鶴¿ÉÄܵ¼ÖÂÓ¦Ó÷¨Ê½Ô´´úÂë¡¢ÅäÖúÍÒªº¦ÏµÍ³ÎļþµÈÃô¸ÐÐÅϢй¶¡£

  

¶þ¡¢Â©¶´¸´ÏÖ

image.png 


Èý¡¢Ó°Ï췶Χ

 Sonatype Nexus Repository 3.x OSS/Pro °æ±¾ < 3.68.1

 

ËÄ¡¢Äþ¾²´ëÊ©

4.1 Éý¼¶°æ±¾

Ä¿Ç°¸Ã©¶´ÒѾ­ÐÞ¸´£¬ÊÜÓ°ÏìµÄ Sonatype Nexus Repository 3ʵÀýÓû§¿ÉÉý¼¶µ½ Sonatype Nexus Repository OSS/Pro 3.68.1»ò¸ü¸ß°æ±¾¡£

ÏÂÔØÁ´½Ó£º

https://help.sonatype.com/en/download.html

4.2 ÁÙʱ´ëÊ©

ÎÞ·¨Á¢¼´Éý¼¶µÄSonatype Nexus RepositoryʵÀý£¬¿Éͨ¹ý±à¼­/etc/jetty/jetty.xml ²¢É¾³ýÎļþÖеÄÒÔÏÂÐÐÀ´»º½â¸Ã©¶´£º

//  <Set name="resourceBase"><Property name="karaf.base"/>/public</Set>

ÖØÆô Nexus Repository£¬Ê¹¸ü¸ÄÉúЧ¡£

×¢£º´Ë¸ü¸Ä¿É·Àֹ©¶´±»ÀûÓ㬵«Ò²»á×èÖ¹Ó¦Ó÷¨Ê½´Ó/public Ŀ¼¼ÓÔØÎļþ£¬Õâ¿ÉÄܻᵼÖÂijЩUI äÖȾÎÊÌ⣬µ«²»»áÓ°ÏìºËÐIJúÎ﹦Ч¡£Éý¼¶µ½ÐÞ¸´°æ±¾ºóµÄʵÀýÎÞÐèɾ³ý¸ÃÐС£

4.3 ͨÓý¨Òé

l  ¶¨ÆÚ¸üÐÂϵͳ²¹¶¡£¬¼õÉÙϵͳ©¶´£¬ÌáÉý·þÎñÆ÷µÄÄþ¾²ÐÔ¡£

l  ¼ÓǿϵͳºÍÍøÂçµÄ·ÃÎÊ¿ØÖÆ£¬Ð޸ķÀ»ðǽ¼Æı£¬¹Ø±Õ·ÇÐëÒªµÄÓ¦Óö˿ڻò·þÎñ£¬¼õÉÙ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Ì»Â¶µ½¹«Íø£¬¼õÉÙ¹¥»÷Ãæ¡£

l  ʹÓÃÆóÒµ¼¶Äþ¾²²úÎÌáÉýÆóÒµµÄÍøÂçÄþ¾²ÐÔÄÜ¡£

l  ¼ÓǿϵͳÓû§ºÍȨÏÞ¹ÜÀí£¬ÆôÓöàÒòËØÈÏÖ¤»úÖƺÍ×îСȨÏÞÔ­Ôò£¬Óû§ºÍÈí¼þȨÏÞÓ¦±£³ÖÔÚ×îµÍÏ޶ȡ£

l  ÆôÓÃÇ¿ÃÜÂë¼Æı²¢ÉèÖÃΪ¶¨ÆÚÐ޸ġ£

4.4 ²Î¿¼Á´½Ó

https://help.sonatype.com/en/sonatype-nexus-repository-3-68-0-release-notes.html

https://support.sonatype.com/hc/en-us/articles/29412417068819-Mitigations-for-CVE-2024-4956-Nexus-Repository-3-Vulnerability

 


Îå¡¢°æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

±¸×¢

V1.0

2024-05-20

Ê×´ÎÐû²¼

V1.1

2024-05-24

ÐÂÔö©¶´¸´ÏÖ


Áù¡¢¸½Â¼

6.1 ¶«É­Æ½Ì¨¼ò½é

¶«É­Æ½Ì¨½¨Á¢ÓÚ1996Ä꣬ÊÇÓÉÁôÃÀ²©Ê¿ÑÏÍû¼ÑŮʿ´´½¨µÄ¡¢ÓµÓÐÍêÈ«×ÔÖ÷֪ʶ²úȨµÄÐÅÏ¢Äþ¾²¸ß¿Æ¼¼ÆóÒµ¡£ÊǹúÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢Äþ¾²²úÎï¡¢Äþ¾²·þÎñ½â¾ö·½°¸µÄÁ캽ÆóÒµÖ®Ò»¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°¶«É­Æ½Ì¨´óÏ㬹«Ë¾Ô±¹¤6000ÓàÈË£¬Ñз¢ÍŶÓ1200ÓàÈË, ¼¼Êõ·þÎñÍŶÓ1300ÓàÈË¡£ÔÚÈ«¹ú¸÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö£¬ÓµÓÐÁýÕÖÈ«¹úµÄÏúÊÛÌåϵ¡¢ÇþµÀÌåϵºÍ¼¼ÊõÖ§³ÖÌåϵ¡£¹«Ë¾ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉîÛÚÖÐС°å¹ÒÅÆÉÏÊС££¨¹ÉƱ´úÂ룺002439£©

¶àÄêÀ´£¬¶«É­Æ½Ì¨ÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷´´ÐµÄÄþ¾²²úÎïºÍ×î¼Ñʵ¼ù·þÎñ£¬×ÊÖú¿Í»§È«ÃæÌáÉýÆäIT»ù´¡ÉèÊ©µÄÄþ¾²ÐÔºÍÉú²úЧÄÜ£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Äþ¾²¹¤ÒµÁì¾üÆ·Åƶø²»Ð¸Å¬Á¦¡£

6.2 ¹ØÓÚ¶«É­Æ½Ì¨

¶«É­Æ½Ì¨Äþ¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÒÑÐû²¼1000¶à¸ö©¶´Í¨¸æºÍ·çÏÕÔ¤¾¯£¬ÎÒÃǽ«Á¬Ðø¸ú×ÙÈ«Çò×îеÄÍøÂçÄþ¾²Ê¼þºÍ©¶´£¬ÎªÆóÒµµÄÐÅÏ¢Äþ¾²±£¼Ý»¤º½¡£

¹Ø×¢ÎÒÃÇ£º

image.png