Vulnerable log4j-1.2.16.jar reported in Sonatype Nexus repository manager
search cancel

Vulnerable log4j-1.2.16.jar reported in Sonatype Nexus repository manager

book

Article ID: 370595

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

After upgrading the Nolio Data Management server to 6.9 from 6.8, there are still old log4j jars in Sonatype Nexus path.

Vulnerabilities are being reported for the following old log4j files.

Path                                   : /opt/deploy/CA/ReleaseAutomationServer/sonatype-work/nexus/storage/nolio-actions/default_actions_group/log4j/1.2.16/log4j-1.2.16.jar
Installed version                      : 1.2.16
Security End of Life                   : August 5, 2015
Time since Security End of Life (Est.) : 8 years

Path                                   : /opt/deploy/CA/ReleaseAutomationServer/sonatype-work/nexus/storage/nolio-actions/.nexus/attributes/default_actions_group/log4j/1.2.16/log4j-1.2.16.jar
Installed version                      : 1.2.16
Security End of Life                   : August 5, 2015
Time since Security End of Life (Est.) : 8 years

Environment

Nolio Release Automation 6.8, 6.9

Sonatype Nexus Repository Manager

Resolution

The files are not Release Automation default files but are related to something that was loaded into the the Nexus repository by a repository user or Nolio user.
Check if they are still being required in the repository and delete them from the repository if not.

Additional Information

The default admin password for Nexus Repository Manager can be changed:
Admin password for Nexus Repository Manager

Powered by Wolken Software