Re: Maven Repository Security issues: any war stories?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Maven Repository Security issues: any war stories?

Manfred Moser-4
The order of repositories in a pom, settings and repo manager is crucial. Some companies use their own repos on top since they trust them the most. I have seen internal teams deploying patched version into those which then essentially override the real dep from central.

This is a feature and is used quite often .. however it also opens the door for abuse on that level.

With all sorts of repos out there you really have to check what you consume. If you consume repos that are not trustworthy or just badly maintained .. anything is possible including security attacks... however I have not seen it in practice.

Overall its important that you use Central and othter trusted repos first and foremost..

Manfred

Elliotte Rusty Harold wrote on 2020-02-28 11:01 (GMT -08:00):

> Folks,
>
> A colleague is preparing a presentation on general dependency security
> issues. I'm not aware of any compromises of the Maven repo system such
> that a malicious actor was able to push malware to client systems, but
> I'm not sure it's never happened.
>
> Does anyone know about anything like the attack on npm a couple of
> years ago
> <https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets>
> that happened in the Java space?
>
> Even if something just went a little wonky in a way that could have
> been used to serve malware but wasn't, that would be almost as
> interesting.
>
> Of course, I'd love for the answer to be, "No, that's never happened
> to Java, and it can't because..." I suspect we're a little more
> resistant to these classes of attacks than npm because version ranges
> are far less common. However, I can't think of anything that would
> prevent someone from buying and compromising future versions of any
> particular artifact. It's not like intelligence agencies haven't
> bought entire companies before,
> <https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/>
> and most open source projects could be had for a lot less.
>
> --
> Elliotte Rusty Harold
> [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]