Oh er.
Thanks for the heads-up.
And the warning to look in dependency POMs to see if they in turn add to
the repository resolver chain.
Andy
On 28/04/2021 16:15, Rob Vesse wrote:
Hey Folks
If you weren’t already aware Apache Maven put out a 3.8.1 release to address a
CVE this week:
https://maven.apache.org/docs/3.8.1/release-notes.html
https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736%40%3Cannounce.apache.org%3E
This CVE relates to a possible supply chain poisoning attack if a Maven project
directly (or indirectly via its plugins/dependencies) references insecure
repositories (i.e. non-HTTPS repositories)
Anyone working with Maven day to day should make sure they’ve upgraded their
Maven installations both locally and within any CI/CD infrastructure you might
be using (your corporate security teams at your $dayjob’s may already be
chasing you about this)
I haven’t seen any reports that this is being actively exploited but there has
been a bunch of security research published lately about supply chain poisoning
(e.g. https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 as a
prominent example widely reported in the tech press) that suggests it’s best to
be protected against these kinds of attacks
Hope this helps,
Rob Vesse
