Skip to main content

Critical Cleanup Policy Bug Advisory

Warning

This bug is fixed in release 3.41.1, which is now available. Please download and upgrade to this or a later release.

Sonatype has discovered a critical bug that can cause cleanup policies to unintentionally delete binaries in Nexus Repository Pro deployments using H2 or PostgreSQL.

Who is Impacted?

Deployments meeting all of the following criteria are impacted by this bug:

  • Your deployment must be using Nexus Repository Pro 3.31.0 to 3.41.0

  • Your deployment must have been explicitly migrated to or originally deployed using an H2 or PostgreSQL database

  • Cleanup policies must be applied to one or more repositories

  • Those cleanup policies must have Component Age or Component Usage criteria

What Database am I Using?

If you are unsure what database you are using, take the following steps:

  • Check your $data-dir/etc/nexus.properties for nexus.datastore.enabled=true

    • Property does not exist - you are using OrientDB and are not impacted by this bug

    • Property does exist - you are using either H2 or PostgreSQL and are potentially impacted by this bug

      • If there is also a $nexus-dir/etc/fabric/nexus-store.properties file that contains a Postgres JDBC URL, then you are using PostgreSQL

      • If no Postgres JDBC URL exists, but you do have nexus.datastore.enabled=true in your $data-dir/etc/nexus.properties, then you are using H2

Or

  • Log into your Nexus Repository instance as an administrator

  • Navigate to AdmininistrationRepository and see if there is a Data Store menu item available

    • Menu item does not exist - you are using OrientDB and are not impacted by this bug

    • Menu item does exist - you are using either H2 or PostgreSQL and are potentially impacted by this bug

What Should You Do if You are Currently Impacted?

If your deployment meets all of the above criteria, you should immediately take the following actions:

How Can You Prevent Impact if Not Currently Affected?

If your deployment does not meet all of the above criteria, you should take the following actions to prevent impact:

  • If not currently using H2 or PostgreSQL, do not migrate at this time

  • If you are already using H2 or PostgreSQL and have any cleanup policies, disable the cleanup policy tasks and blob store cleanup task:

    • Navigate to AdminSystemTasks

    • Locate the Cleanup Service task and the Admin - Compact blob store task in the task list; select each task to open the detailed view

    • Uncheck the Task enabled box for each task

  • If you are already using H2 or PostgreSQL, do not create new cleanup policies.