Sonatype Nexus Repository Manager Default Credentials Detected

book

Article ID: 223939

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

Our Vulnerability Vulnerability scan has detected that Sonatype Nexus Repository Manager Default Credentials are being used. Will changing the passwords (or disabling the user) cause issues? 

 

Environment

Release : 6.7

Component : CA RELEASE AUTOMATION CORE

Resolution

Nolio uses only one user to connect to the repository. It is controlled by the username/password keys in the conf/nolio-repo.properties file. The guidance below assumes:

  1. The nolio-repo.properties file is configured to use: username=admin
  2. There are no actions (or anything else in the environment) communicating with Nexus using the deployment and/or anonymous users. 

 

The management server will use the "hostname" key in the conf/nolio-repo.properties file to direct where it should go to access a nexus repository. Blank "hostname" key values uses the nexus sonatype services on the local management server. If the nolio-repo.properties "hostname" key points to a remove server then that is the active nexus repository. If the "hostname" is remote than the nexus repository server on the management server is considered inactive. If the "hostname" key is blank, localhost, or the name of the local management server then it is the active nexus repository.  

 

 

Active Nexus Repository Servers

Based on the criteria above, this guidance applies to Active Nexus Repo servers.

State of default nexus repository users:

  • admin: When Nolio first starts, it will change the default password of the admin user. This user should remain active. Updates to its password need to be accompanied with updating the password used by Nolio (via the conf/nolio-repo.properties file).
  • anonymous: This user may be disabled.
  • deployment: This user may be disabled. 

 

Inactive Nexus Repository Servers

Based on the criteria above, this guidance applies to Inactive Nexus Repo servers.

State of default nexus repository users:

  • admin: When Nolio first starts, it will change the default password of the admin user. This user should remain active. Updates to its password need to be accompanied with updating the password used by Nolio (via the conf/nolio-repo.properties file).
  • anonymous: This user may be disabled.
  • deployment: This user may be disabled. 

 

Additional Information

To disable users in Nexus:

  1. Log into the nexus repo web ui (http://<hostname>:<port>/nexus) as admin.
  2. Expand "Security" drop down on the left.
  3. Select "Users"
  4. Select the user of interest.
  5. When you select a user in the upper right portion of the UI, the bottom will show the users properties. 
  6. One of the properties for users is "Status". To disable the user, change it from "Active" to "Disabled".