On Tuesday 1st of November, between 1-5pm UTC a new version of the widely adopted OpenSSL 3.x series will be released for general consumption. The OpenSSL project announced this in their mailing list  and through twitter, also revealing the existence of a new CRITICAL security vulnerability this patch fixes ... Read More

Over the last week, troubling new reports have arisen about state-sponsored threat actors leveraging modified open source applications to compromise employees' machines at technology companies, governments, and non-profit organizations. Microsoft, Mandiant, and Ars Technica all covered the technicalities of the attack type, where bad actors pose as recruiters who target ... Read More

Over the last few months, following the scramble that was Log4j, I have been asking folks I meet “what if another critical vulnerability was announced tomorrow? What would you do differently?” Well, last Wednesday, we got a reminder that new security vulnerabilities can and do appear ... Read More

Early Wednesday morning (GMT), allegations began to appear on the internet about a new remote code execution flaw that affects Spring Core. This vulnerability, dubbed by some as "Springshell"  in the community, is a new, previously unknown security vulnerability.  Exclamation Circle icon  NOTE: A separate Spring vulnerability CVE-2021-22963 (High) disclosed a few ... Read More

We humbly declare today, February 3rd,  World Open Source day ... Read More

Editor's Note: We’re celebrating February 3rd, the day the term ‘Open Source’ was first coined, as World Open Source Day here at Sonatype by recognizing our incredible maintainers and contributors, and the open source projects they support. Read all about Sal Kimmich's journey below.  ... Read More

Approx read time: 3.3 mins In light of the wave of security vulnerabilities and exploitation affecting Log4j, we here at Sonatype have been working to keep on top of the ever-evolving situation as the attacks mutate, and as new discoveries are made in other logging frameworks ... Read More

On Friday, the news broke about Log4Shell, an easy-to-exploit vulnerability being exploited across the world. We have kept our blog from Friday up to date with the latest news, mitigations and strategies that you can take as a maintainer or operator of software using log4j ... Read More

News broke early Friday morning of a serious 0-day Remote Code Execution exploit in log4j - CVE-2021-44228- the most popular java logging framework used by Java software far and wide. This type of vulnerability is especially dangerous as it can be used to run any code via your software and ... Read More

The shutdown of Bintray and JCenter comes as a rough entry in the 2021 Bingo card for many developers - most Android projects as well as Gradle and many others publish their artifacts via Bintray into JCenter. The migration timelines are tight for both consumers and producers of artifacts - ... Read More