Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: OpenImaj nexus instance appears compromised #166

Open
mateor opened this issue Jun 30, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@mateor
Copy link

commented Jun 30, 2019

I strongly suspect that the OpenImaj maven server is compromised and serving counterfeit artifacts under dozens of org namespaces.

I discovered this by reading Artifactory request logs, local publish was failing because Artifactory would discover (and download) files from maven.openimaj.com masquerading as my own library and consider them the source of truth.

Examples
I made a dummy namespace to iterate with while I debugged the failures:
http://maven.ecs.soton.ac.uk/content/groups/maven.openimaj.org/com/mateo/shaded/foobar.mateo.again2/

Steps

  1. Artifactory virtual repository, withmaven.openimaj.comas a remote
  2. Run local publish, the only resolver in the ivysettings.xml is internal Artifactory instance
  3. Publishing process exits non-zero, with "file already exists" errors.

Behavior
Artifactory appears to checks all known remote maven repos before publishing a coordinate, as duplicate detection. But when it contacted the openimaj server for my coordinate, maven.openimaj.com immediately begins writing bogus files under that coordinate's namespace.

These are not duplicates or copies - the extensions are SHAs and asc signatures, but the contents show code injection/adware.

Effects
There are malicious files for dozens of orgs on this server, a clear security risk for them and their users.

@jonhare

This comment has been minimized.

Copy link
Member

commented Jun 30, 2019

From what I can tell, it's not our instance that's been compromised, but rather our nexus was proxying a remote repo that had been compromised :(

I believe I've fixed the immediate problem by disabling all the proxied repositories - I'll hunt through to try and figure out which one was causing the problems. In the mean-time maven.openimaj.org will only contain the openimaj jars, but none of the external dependencies (although hopefully most of them are available on central anyway)

@jonhare

This comment has been minimized.

Copy link
Member

commented Jun 30, 2019

Following up - I seem to have isolated and removed the compromised proxy, and reinstated everything else back to normal. @mateor can you please test that it now behaves properly for you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.