Urgent: Sonatype Nexus Repository 3.68.1 Released

[Lisa Durant]

Sonatype Nexus Repository 3.68.1 fixes a critical vulnerability impacting all Sonatype Nexus Repository 3 deployments. All Sonatype Nexus Repository 3 Pro and OSS customers should upgrade to 3.68.1 as soon as possible.

While there are no known active exploits, this vulnerability could allow a specially crafted URL to return any file as a download, including system files outside of Nexus Repository application scope. See our CVE-2024-4956 KB article for full details. The Nexus Repository 3.68.0 - 3.68.1 Release Notes are also available.

[Mariska]

Hi,

We are testing the 3.68.1 Java 11 version (OSS, with OrientDB). I have the same heap configuration (-Xms4G -Xmx4G -XX:MaxDirectMemorySize=671M in a VM with 16GB memory) as with the Java 8 version, but now I'm getting "low heap memory" errors. Is it correct that we need more heap memory or should I tune the G1 GC ? From the nexus3 documentation, it is not clear what the new settings should be for the Java 11 version.

Any help is appreciated!

Thanks, Mariska.

[Fabrice Bacchella]

For a big deployement, my only memory tunning are:

-Xms4G

-Xmx4G

-XX:MaxDirectMemorySize=16G

-XX:+UseStringDeduplication

-XX:+UseTransparentHugePages

-XX:+UseG1GC

The only important differences in the vmoptions file are the JPMS options :

--add-reads=java.xml=java.logging

--add-exports=java.base/org.apache.karaf.specs.locator=java.xml,ALL-UNNAMED

--patch-module=java.base=/data/nexus/nexus-current/lib/endorsed/org.apache.karaf.specs.locator-4.3.9.jar

--patch-module=java.xml=/data/nexus/nexus-current/lib/endorsed/org.apache.karaf.specs.java.xml-4.3.9.jar

--add-opens=java.base/java.security=ALL-UNNAMED

--add-opens=java.base/java.net=ALL-UNNAMED

--add-opens=java.base/java.lang=ALL-UNNAMED

--add-opens=java.base/java.util=ALL-UNNAMED

--add-opens=java.naming/javax.naming.spi=ALL-UNNAMED

--add-opens=java.rmi/sun.rmi.transport.tcp=ALL-UNNAMED

--add-exports=java.base/sun.net.www.protocol.http=ALL-UNNAMED

--add-exports=java.base/sun.net.www.protocol.https=ALL-UNNAMED

--add-exports=java.base/sun.net.www.protocol.jar=ALL-UNNAMED

--add-exports=jdk.xml.dom/org.w3c.dom.html=ALL-UNNAMED

--add-exports=jdk.naming.rmi/com.sun.jndi.url.rmi=ALL-UNNAMED

--add-exports=java.security.sasl/com.sun.security.sasl=ALL-UNNAMED

and you need to remove:

-Djava.endorsed.dirs=/data/nexus/nexus-current/lib/endorsed

-XX:+UnsyncloadClass

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/d84ca1c4-729f-473f-904d-eb86b0d8411en%40glists.sonatype.com.

[Rich Seddon]

There are detailed recommendations here:  https://help.sonatype.com/en/sonatype-nexus-repository-system-requirements.html#memory-161935

[Mariska]

Hi Rick,

Thanks for your reply. 

I am aware of the recommendations, but it seems that with java 11, more heap memory is used. I did not see the 'low heap memory' in the same server with java 8.

The JVM settings in our Nexus3 OSS are: Xmx=Xms=4GB and MaxDirectMemorySiz=6GB. But could it do harm to increase those to: Xmx=Xms=8GB and MaxDirectMemorySize=10GB even though it is not recommended for the java 11 version? 

Unfortunately, we won't have the budget to move to Pro yet. It would be nice if OSS users could also move to a Postgres database. Hope this feature will become available for OSS as well.

Kind regards,

Maris