This article details the discovery and remediation of a pervasive supply chain vulnerability in the Java ecosystem caused by insecure dependency resolution over HTTP. It highlights collaborative efforts among artifact hosts, build tools, and open source projects to eliminate the risk. #JavaSupplyChain #DependencyVulnerability
Keypoints
- The vulnerability originated from insecure HTTP dependency downloads in the Java ecosystem.
- Major artifact hosts like Maven Central, JCenter, and Spring blocked HTTP downloads to improve security.
- Build tools such as Gradle, Bazel, and SBT introduced default restrictions to prevent HTTP-based dependency resolution.
- Over 100,000 libraries in Maven Central were affected by transitive HTTP repository injections.
- An automation tool was developed to mass fix vulnerable repositories, demonstrating scalable security remediation.