Our Vulnerability Vulnerability scan has detected that Sonatype Nexus Repository Manager Default Credentials are being used. Will changing the passwords (or disabling the user) cause issues? 

Release Automation 6.7, 6.8

The Nolio Management Server (aka NAC) installs and uses Sonatype Nexus Repository. During the installation of the NAC it prompts whether the repository is local or remote.

If you chose local then it will use a local, embedded, install of Nexus Sonatype. In this case, this would be the Active Nexus Repository Server. 

If you chose remote then it will still install a local, embedded, install of Nexus Sonatype. In this case, this would be considered an Inactive Nexus Repository Server. The "Resolution" section explains how you can confirm whether an a Nexus Repository is considered "Inactive" or not (vai nolio-repo.properties file). This scenario, in which the "remote" option was used, would also mean that you likely installed a nexus repository (using the nolio repository stand alone installer) on a remote server. If so, that remote install of the nexus repository would be considered the Active Nexus Repository. 

In each installation of the Nexus Sonatype Repository (local or remote), the install creates three default users: admin, anonymous and deployment. The "anonymous" and "deployment" user's default passwords are not changed. This is what was detected and reported as described in the "Issue/Introduction" section. This article was written to clarify how these users can be handled to help keep the environment secure. 

Nolio uses only one user to connect to the repository. It is controlled by the username/password keys in the conf/nolio-repo.properties file. The guidance below assumes:

1. The nolio-repo.properties file is configured to use: username=admin
2. There are no actions (or anything else in the environment) communicating with Nexus using the deployment and/or anonymous users. 

Assuming the above is true, the "deployment" and "anonymous" users can be safely disabled without impacting Nolio.

It is common for the security team to raise this problem with the Nolio administrators. This often comes with information showing you where (the hostname) the scan was done and it's findings. The information below can help to understand if that server is considered an Active Nexus Repository Server or an Inactive Nexus Repository Server. The steps to secure Active and Inactive differ slightly. 

The management server will use the "hostname" key in the conf/nolio-repo.properties file to direct where it should go to access a nexus repository. Blank "hostname" key values uses the nexus sonatype services on the local management server. If the nolio-repo.properties "hostname" key points to a remote server then that is the active nexus repository. If the "hostname" is remote than the nexus repository server on the management server is considered inactive. If the "hostname" key is blank, localhost, or the name of the local management server then it is the active nexus repository.  

Active Nexus Repository Servers

Based on the criteria above, this guidance applies to Active Nexus Repo servers.

State of default nexus repository users:

• admin: When Nolio first starts, it will change the default password of the admin user. This user should remain active. Updates to its password need to be accompanied with updating the password used by Nolio (via the conf/nolio-repo.properties file).
• anonymous: This user may be disabled.
• deployment: This user may be disabled. 

Inactive Nexus Repository Servers

Based on the criteria above, this guidance applies to Inactive Nexus Repo servers.

State of default nexus repository users:

• admin: This user may be disabled.
• anonymous: This user may be disabled.
• deployment: This user may be disabled. 

To disable users in Nexus:

1. Log into the nexus repo web ui (http://<hostname>:<port>/nexus) as admin.
2. Expand "Security" drop down on the left.
3. Select "Users"
4. Select the user of interest.
5. When you select a user in the upper right portion of the UI, the bottom will show the users properties. 
6. One of the properties for users is "Status". To disable the user, change it from "Active" to "Disabled".

deleteAnonymousUser:

The conf/nolio-repo.properties file has a key for "deleteAnonymousUser". This value can be true or false. By default, it is set to false. If it is set to true then this will delete the Nexus Repository's anonymous user after completing an artifact upload or artifact download.