January 22, 2024 at 12:06PM
New software supply chain attack method MavenGate targets public and popular libraries used in Java and Android apps. Vulnerabilities allow hijacking of artifacts and injecting malicious code. Oversecured sent reports to tech companies. Attack involves domain name purchases and exploiting abandoned libraries. Sonatype claims automation prevents attacks, but recommends end developers and library developers take security measures.
Key takeaways from the meeting notes:
– There is a new software supply chain attack method called MavenGate targeting vulnerable libraries used in Java and Android applications.
– The attack can be executed by purchasing expired domain names associated with the vulnerable libraries and gaining access to the groupId.
– The attack involves uploading modified “untrusted” versions of libraries to repositories and manipulating the order of declaration in Gradle build scripts to ensure the malicious version is utilized.
– The attack allows threat actors to hijack dependencies and inject their own code into applications.
– Approximately 18.18% of the analyzed domains were found to be vulnerable to MavenGate.
– Sonatype, the owner of Maven Central, has taken security measures by disabling accounts associated with expired domains and addressing a regression in the public key validation process.
– Both library developers and end developers have shared responsibilities for ensuring the security of dependencies.
For more exclusive content, you can follow us on Twitter and LinkedIn.