Skip to main content

Sonatype Repository Firewall Quarantine Patch Fix

There was a critical issue with Sonatype Nexus Repository versions 3.57.0 and 3.58.0, which impacted deployments of the Sonatype Repository Firewall.

The identified issue reset the ‘quarantine as of date’ when the Sonatype Nexus Repository is started after the update. As a result,the previously quarantined component will be “un-quarantined” upon server reboot.

How can I tell if I’m impacted?

You are impacted if:

  1. You are usingSonatype Nexus Repository versions 3.57.0 or 3.58.0 and Sonatype Repository Firewall.

  2. The Repository Firewall quarantine feature is enabled.

As a result, previously-quarantined components will be made available to developers upon request.

How can I fix the issue?

The fix is to upgrade to the latest release as soon as possible. These versions revert the changes at the root cause of the incident. As part of the upgrade, you will also need to take the following actions:

  1. In your nexus.properties file, add the property: “nexus.firewall.quarantineFix.enabled=true”

  2. After starting Sonatype Nexus Repository 3.57.1 / 3.58.1, a user with the Task administration permissions will need to create a Firewall Quarantine Timestamp Correction task to run manually.

Execute this task to repair the necessary quarantine data. This one task will apply to all repositories with quarantine enabled, is expected to have minimal impact on operational performance, and is completed within minutes regardless of deployment size.

What other actions should I be taking for enhanced protection?

Sonatype Lifecycle Customers:

Establish mitigating controls through the Lifecycle UI by reviewing your policy actions:

  1. Review your Lifecycle Dashboard for new violations for policies set to Fail at the Proxy Stage. Note: You can filter by Age of the Policy Violation since upgrading to your current instance of Sonatype Nexus Repository to curate the violate list.

  2. If you notice any new policy violations in Step 1, set the violating policies to Fail at the Build, Stage, or Release Stages until those application teams are able to remediate the violation.

What if I can’t upgrade right away?

We strongly urge you to upgrade as soon as possible. If you are unable to upgrade to one of the patch releases (3.57.1 / 3.58.1) and complete the above steps immediately, please refer to the mitigation options below:

Sonatype Lifecycle Customers:

Establish mitigating controls through the Lifecycle UI by reviewing your policy actions.

  1. Set the following policies to block at the Build, Stage, or Release stages: Security-Namespace Conflict, Security-Malicious, and Integrity-Rating.

  2. Review your Lifecycle dashboard for new violations for policies set to Fail at the Proxy Stage. Note: You can filter by Age of the Policy Violation since upgrading to your current instance of Sonatype Nexus Repository to curate the violate list.

  3. If you notice any new policy violations in Step 2, set the violating policies to Fail at the Build, Stage, or Release stages until those application teams are able to remediate the violation.

Sonatype Repository Firewall / Sonatype Nexus Repository only Customers

Avoid restarting your Sonatype Nexus Repository instance until you can upgrade to one of the patched releases.

If you need additional assistance, please have one of your authorized support contacts open a Support ticket.