version 3.68.0 fix CVE-2024-4956

a-langer · May 21, 2024 · d44b9dd · d44b9dd
1 parent 7ee243d
commit d44b9dd
Show file tree

Hide file tree

Showing 8 changed files with 126 additions and 9 deletions.
diff --git a/.env b/.env
@@ -4,7 +4,7 @@ LOGGING_MAX_SIZE="${LOGGING_MAX_SIZE:-10M}"
 LOGGING_COUNT_FILES="${LOGGING_COUNT_FILES:-10}"
 
 ## Nexus
-NEXUS_IMAGE="${NEXUS_IMAGE:-ghcr.io/a-langer/nexus-sso:3.67.1}"
+NEXUS_IMAGE="${NEXUS_IMAGE:-ghcr.io/a-langer/nexus-sso:3.68.0}"
 NEXUS_USER="${NEXUS_USER:-nexus}"
 NEXUS_GROUP="${NEXUS_GROUP:-nexus}"
 NEXUS_DATA="${NEXUS_DATA:-./nexus_data}"

diff --git a/Dockerfile b/Dockerfile
@@ -5,11 +5,11 @@
 # docker rmi $(docker images -f "dangling=true" -q)
 # docker run --user=0:0 --rm -it -p 8081:8081/tcp sonatype/nexus3:3.37.3 /bin/bash
 
-ARG NEXUS_BASE_IMAGE="sonatype/nexus3:3.67.1"
+ARG NEXUS_BASE_IMAGE="sonatype/nexus3:3.68.0"
 FROM $NEXUS_BASE_IMAGE
 USER root
 
-ARG NEXUS_PLUGIN_VERSION="3.67.1-01"
+ARG NEXUS_PLUGIN_VERSION="3.68.0-04"
 ENV PLUG_VERSION="${NEXUS_PLUGIN_VERSION}"
 ENV NEXUS_PLUGINS="${NEXUS_HOME}/system"
 
@@ -30,6 +30,8 @@ RUN chmod -R 644 ${NEXUS_PLUGINS}/org/sonatype/nexus/nexus-repository-services/$
 COPY etc/nexus-default.properties /opt/sonatype/nexus/etc/nexus-default.properties
 COPY etc/jetty/nexus-web.xml /opt/sonatype/nexus/etc/jetty/nexus-web.xml
 COPY etc/jetty/jetty-sso.xml /opt/sonatype/nexus/etc/jetty/jetty-sso.xml
+# Fix CVE-2024-4956 https://support.sonatype.com/hc/en-us/articles/29412417068819-Mitigations-for-CVE-2024-4956-Nexus-Repository-3-Vulnerability
+COPY etc/jetty/jetty.xml /opt/sonatype/nexus/etc/jetty/jetty.xml
 COPY nexus-pac4j-plugin/src/main/config/ /opt/sonatype/nexus/etc/sso/config/
 COPY nexus-pac4j-plugin/src/main/groovy/ /opt/sonatype/nexus/etc/sso/script/
 RUN chown nexus:nexus -R /opt/sonatype/nexus/etc/sso/

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 [![license](https://img.shields.io/badge/license-EPL1-brightgreen.svg)](https://github.com/a-langer/nexus-sso/blob/main/LICENSE "License of source code")
 [![image](https://ghcr-badge.deta.dev/a-langer/nexus-sso/latest_tag?trim=major&label=latest)][0]
-[![image-size](https://ghcr-badge.deta.dev/a-langer/nexus-sso/size?tag=3.67.1)][0]
+[![image-size](https://ghcr-badge.deta.dev/a-langer/nexus-sso/size?tag=3.68.0)][0]
 [![JitPack](https://jitpack.io/v/a-langer/nexus-sso.svg)][1]
 
 Patch for [Nexus OSS][2] with authorization via [SSO][9] and [tokens][10]. By default this features available only in PRO version ([see comparison][5]), but this patch provides them an alternative implementation without violating the license.

diff --git a/etc/jetty/jetty.xml b/etc/jetty/jetty.xml
@@ -0,0 +1,115 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+
+  <Arg name="threadpool">
+    <New id="threadpool" class="org.sonatype.nexus.bootstrap.jetty.InstrumentedQueuedThreadPool">
+      <Set name="maxThreads">400</Set>
+    </New>
+  </Arg>
+
+  <New id="NexusHandler" class="org.sonatype.nexus.bootstrap.jetty.InstrumentedHandler">
+    <Arg>
+      <New id="NexusWebAppContext" class="org.eclipse.jetty.webapp.WebAppContext">
+        <Set name="descriptor"><Property name="jetty.etc"/>/nexus-web.xml</Set>
+        <!-- Fix CVE-2024-4956 https://support.sonatype.com/hc/en-us/articles/29412417068819-Mitigations-for-CVE-2024-4956-Nexus-Repository-3-Vulnerability -->
+        <!-- <Set name="resourceBase"><Property name="karaf.base"/>/public</Set> -->
+        <Set name="contextPath"><Property name="nexus-context-path"/></Set>
+        <Set name="throwUnavailableOnStartupException">true</Set>
+        <Set name="configurationClasses">
+          <Array type="java.lang.String">
+            <Item>org.eclipse.jetty.webapp.WebXmlConfiguration</Item>
+          </Array>
+        </Set>
+      </New>
+    </Arg>
+  </New>
+
+  <Set name="handler">
+    <New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
+      <Set name="handlers">
+        <Array type="org.eclipse.jetty.server.Handler">
+          <Item>
+            <Ref refid="NexusHandler"/>
+          </Item>
+        </Array>
+      </Set>
+    </New>
+  </Set>
+
+  <Set name="stopAtShutdown">true</Set>
+  <Set name="stopTimeout"><Property name="jetty.stop.timeout" default="5000"/></Set>
+  <Set name="dumpAfterStart"><Property name="jetty.dump.start" default="false"/></Set>
+  <Set name="dumpBeforeStop"><Property name="jetty.dump.stop" default="false"/></Set>
+
+  <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+    <Set name="outputBufferSize">
+      <Property name="jetty.output.buffer.size" default="32768"/>
+    </Set>
+    <Set name="outputAggregationSize">
+      <Property name="jetty.output.aggregation.size" default="8192"/>
+    </Set>
+    <Set name="requestHeaderSize">
+      <Property name="jetty.request.header.size" default="8192"/>
+    </Set>
+    <Set name="responseHeaderSize">
+      <Property name="jetty.response.header.size" default="8192"/>
+    </Set>
+    <Set name="sendServerVersion">
+      <Property name="jetty.send.server.version" default="true"/>
+    </Set>
+    <Set name="sendDateHeader">
+      <Property name="jetty.send.date.header" default="true"/>
+    </Set>
+    <Set name="headerCacheSize">512</Set>
+    <Set name="delayDispatchUntilContent">
+      <Property name="jetty.delayDispatchUntilContent" default="false"/>
+    </Set>
+    <Call name="addCustomizer">
+      <Arg>
+        <New class="org.sonatype.nexus.bootstrap.jetty.DockerSubdomainRequestCustomizer">
+          <Arg>
+            <Property name="nexus-context-path"/>
+          </Arg>
+          <Arg type="int">
+            <Property name="application-port" default="-1"/>
+          </Arg>
+          <Arg type="int">
+            <Property name="application-port-ssl" default="-1"/>
+          </Arg>
+        </New>
+      </Arg>
+    </Call>
+    <Call name="addCustomizer">
+      <Arg>
+        <New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/>
+      </Arg>
+    </Call>
+  </New>
+
+  <!-- =========================================================== -->
+  <!-- Get the platform MBeanServer                                -->
+  <!-- =========================================================== -->
+  <Call id="MBeanServer" class="java.lang.management.ManagementFactory" name="getPlatformMBeanServer" />
+
+  <!-- =========================================================== -->
+  <!-- Initialize the Jetty MBeanContainer                         -->
+  <!-- =========================================================== -->
+  <Call name="addBean">
+    <Arg>
+      <New id="MBeanContainer" class="org.eclipse.jetty.jmx.MBeanContainer">
+        <Arg>
+          <Ref refid="MBeanServer" />
+        </Arg>
+      </New>
+    </Arg>
+  </Call>
+
+  <!-- Add the static log -->
+  <Call name="addBean">
+    <Arg>
+      <Get class="org.eclipse.jetty.util.log.Log" name="Log" />
+    </Arg>
+  </Call>
+
+</Configure>
diff --git a/nexus-docker/pom.xml b/nexus-docker/pom.xml
@@ -7,7 +7,7 @@
     <parent>
         <groupId>com.github.a-langer</groupId>
         <artifactId>nexus-sso</artifactId>
-        <version>3.67.1</version>
+        <version>3.68.0</version>
         <relativePath>..</relativePath>
     </parent>
     <artifactId>nexus-docker</artifactId>

diff --git a/nexus-pac4j-plugin/pom.xml b/nexus-pac4j-plugin/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>com.github.a-langer</groupId>
         <artifactId>nexus-sso</artifactId>
-        <version>3.67.1</version>
+        <version>3.68.0</version>
         <relativePath>..</relativePath>
     </parent>
 

diff --git a/nexus-repository-services/pom.xml b/nexus-repository-services/pom.xml
@@ -7,7 +7,7 @@
     <parent>
         <groupId>com.github.a-langer</groupId>
         <artifactId>nexus-sso</artifactId>
-        <version>3.67.1</version>
+        <version>3.68.0</version>
         <relativePath>..</relativePath>
     </parent>
     <artifactId>nexus-repository-services</artifactId>

diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
     <groupId>com.github.a-langer</groupId>
     <artifactId>nexus-sso</artifactId>
     <packaging>pom</packaging>
-    <version>3.67.1</version>
+    <version>3.68.0</version>
     <name>${project.groupId}:${project.artifactId}</name>
     <description>Single Sign-On patch for Nexus OSS</description>
 
@@ -14,7 +14,7 @@
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
         <nexus.base.version>${project.version}</nexus.base.version>
-        <nexus.extension.version>01</nexus.extension.version>
+        <nexus.extension.version>04</nexus.extension.version>
         <nexus.plugin.version>${nexus.base.version}-${nexus.extension.version}</nexus.plugin.version>
     </properties>