Talend Security Advisory: CVE-2019-7238 Bundled Sonatype Nexus Repository Manager

Talend Security Advisory

Sonatype Nexus Repository Manager is bundled with Talend Installers 7.0.1 and 7.1.1, which are affected by CVE-2019-7238.

 

The Nexus Repository Manager is used alongside the Talend product and provides the following services:

  • Software Update is used to manage application updates (patches) distributed by Talend. By default, the talend-updates repository is embedded within Software Update, and retrieves the updates published by Talend. This repository allows the user to visualize the updates available.

  • The User libraries repository is used to store all external libraries. These libraries are retrieved by Talend Studio at start-up and are shared with Talend Administration Center using the talend-custom-libs repository.

  • The snapshots and releases repositories are used as a catalog in which all artifacts to be deployed and executed are stored. These artifacts are designed by the user from Talend Studio or any other Java IDE. By default, the snapshots repository is used for development purposes and the releases repository is used for production. These repositories make artifacts available for deployment and/or execution in an execution server.

 

Description of CVE-2019-7238 by Sonatype

Sonatype strongly encourages all users of Nexus Repository Manager to immediately take the steps outlined in this advisory: CVE-2019-7238 Nexus Repository Manager 3 - Missing Access Controls and Remote Code Execution.

 

Immediate actions required

If you are using Nexus Repository Manager 3.1.0 and newer, install Nexus 3.15.2 as advised by Sonatype.

 

References and links

Version history
Revision #:
7 of 7
Last update:
‎04-02-2019 06:01 PM
Updated by:
 
Contributors