In March, a researcher from Twistlock contacted us about two issues he identified, stemming from user access settings. As with any disclosure, we immediately looked into it.
The disclosure was questioning the long standing ability to allow a repository to provide anonymous access for reading artifacts. Since this wasn’t a new capability and because it affects legitimate use cases, this was not a typical zero day and instead a product feature UX change that makes it easier to be more secure. We therefore decided to take a more thoughtful and diligent approach than we would with a true zero-day.
The majority of repository managers are deployed inside a firewall and intentionally configured to allow anonymous access for sharing artifacts. This is a useful capability to provide organizations who choose to do so.
Obviously providing wide open read access on the public Internet should be carefully considered, but as you see with many public forges, that ability to serve common artifacts without requiring a user to sign up, is critically important.
While we disagreed with the assessment that anonymous access should be completely removed from the product, we agreed that more could be done to require a definitive choice to enable Anonymous access during initial setup. We addressed this as quickly as possible with a rolling fix – one in our 3.16.2 product release and one in our most recent update which is 3.17.
As we always do, we do want to emphasize the importance of upgrading to the latest version of Nexus Repository. In this case, we additionally ask that organizations re-review if their use of anonymous read access is appropriate for their use case.