Huge RCE in log4j logging library in JVM ecosystem

dzikoysk ✨ — Fri, 10 Dec 2021 01:22:54 +0000

5 days ago log4j received hot-fix for huge RCE. It's not quite known topic and today it has been expolited in multiple projects.

https://twitter.com/dzikoysk/status/1469091718867951618

It's really easy to reproduce, you should take a look at dependencies in your projects to address this issue. At least bump it to 2.15, the best choice is to move to e.g. logback, at least for a while.

Publishing your artifacts to the Reposilite - a new self-hosted repository manager

dzikoysk ✨ — Fri, 10 Jul 2020 13:19:44 +0000

Maven ecosystem is a part of every Java developer’s life. It doesn't matter if you use Maven or Gradle, Kotlin or Scala (etc.), artifacts are exchanged via the same protocol - Maven protocol ✨.

We can publish our public projects to the official Maven Central repository, but in case of the private ones, for such a long time we could only use:

These powerful projects are a great solution for large companies, but it does not really work well for hobbyist projects and environments focused on simplicity and reduced usage of resources due to limited budget.

It's why I've created Reposilite, lightweight and open source repository manager for Maven artifacts. It is a simple solution to replace managers like Nexus, Archiva or Artifactory.

Pros:

Efficient, reduce usage of your resources to even 10MB of RAM, instead of e.g. 2GB
Extremely easy to use
Approved and listed on Apache Site
Open source ❤️

Cons:

May have lack of extra features, but you can always request for them in the issues
Focused on performance, some of heavy features may not be implemented at all

Install

Note: Project changes dynamically, so the some part of this article, like screenshots, may get outdated.

At this moment (Reposilite 2.6.1) you can use standalone jar version of Reposilite or Docker Image 🐳. If you're looking for always up to date installation guide, visit:

reposilite.com/docs/install

We'll focus on standalone version in this article, which can be downloaded from GitHub Releases page:

github.com/dzikoysk/reposilite/releases

To launch Reposilite, just run the jar archive:



$ java -Xmx16M -jar reposilite.jar

Voilà, that's pretty much all, you've just become owner of a new Maven repository in less than 1 minute ฅ^•ﻌ•^ฅ You should be able to see the result on localhost:80:

That was quick, so let's do something else. Since 2.x version, instead of complicated permission based system between users and projects, Reposilite uses access token system to authorize requests. To fully understand access tokens, visit:

reposilite.com/docs/authorization

First of all, we need to tell Maven, where we want to upload our project. For this purpose, you should declare distribution management property in your pom.xml:



<distributionManagement>
    <repository>
        <id>local-repository</id>
        <url>http://localhost:80/releases</url>
    </repository>
</distributionManagement>

To generate access token for administrator, we need to use keygen command in Reposilite CLI:



$ keygen / admin
| Generated new access token for admin(/)
| AW7-kaXSSXTRVL_Ip9v7ruIiqe56gh96o1XdSrqZCyTX2vUsrZU3roVOfF-YYF-y
| Stored tokens: 1

The / separator means, that requests signed by this token may access all the paths, e.g:

Request URI	Status
/	Authorized
/releases	Authorized
/snapshots	Authorized
/releases/our/awesome/project	Authorized

Now, you have to add a new server entry with generated token to your ~/.m2/settings.xml file:



<server>
  <!-- The id just has to match the id provided in pom.xml -->
  <id>local-repository</id>
  <username>admin</username>
  <password>AW7-kaXSSXTRVL_Ip9v7ruIiqe56gh96o1XdSrqZCyTX2vUsrZU3roVOfF-YYF-y</password>
</server>

To publish your artifact, just run:



$ mvn deploy

If you configured everything properly, you should be able to see a new version of your artifact in the repository browser! 🎉

To discover more functionalities of Reposilite, like a dashboard or remote CLI:

Visit the Reposilite - Guide and GitHub - Reposilite.

Good luck and happy deploying 🚀,
dzikoysk

DEV Community: dzikoysk ✨

Huge RCE in log4j logging library in JVM ecosystem

Publishing your artifacts to the Reposilite - a new self-hosted repository manager

Install