CVE-2021-26291 – Apache Maven follows repository references defi... (How to Fix)

📋 TL;DR

Apache Maven follows repository references defined in dependency POM files, allowing malicious actors to redirect builds to compromised repositories. This affects Maven users who build projects with dependencies from untrusted sources. Users employing repository managers are unaffected.

💻 Affected Systems

Products:

Apache Maven

Versions: All versions before 3.8.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects builds that download dependencies from repositories defined in dependency POMs, not those using repository managers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious dependency injection leading to supply chain compromise, arbitrary code execution during build process, and credential theft from build servers.

🟠

Likely Case

Builds downloading malicious artifacts from compromised repositories, potentially introducing backdoors or malware into final applications.

🟢

If Mitigated

Minimal impact when using repository managers or when all dependencies come from trusted sources.

🌐 Internet-Facing: HIGH - Build servers fetching dependencies from external repositories are directly exposed.

🏢 Internal Only: MEDIUM - Internal builds could still be compromised if dependencies come from untrusted internal sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires compromising a repository referenced in a dependency POM or inserting malicious dependencies into the supply chain.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8.1+

Vendor Advisory: https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736%40%3Cannounce.apache.org%3E

Restart Required: No

Instructions:

1. Download Maven 3.8.1 or later from https://maven.apache.org/download.cgi
2. Replace existing Maven installation
3. Update build environment variables to point to new version
4. Verify builds work correctly with new version

🔧 Temporary Workarounds

Use repository manager

all

Configure Maven to use a repository manager like Nexus or Artifactory that controls which repositories are accessed.

Configure settings.xml with repository manager URL and disable external repository access

Disable external repository resolution

all

Configure Maven to only use trusted repositories and ignore repository definitions in POM files.

Add <mirrorOf>external:*</mirrorOf> to settings.xml to block external repositories

🧯 If You Can't Patch

Implement strict repository controls using repository managers
Audit all dependencies and ensure they only reference trusted repositories

🔍 How to Verify

Check if Vulnerable:

Check Maven version with 'mvn --version'. If version is below 3.8.1 and builds download from external repositories defined in dependency POMs, system is vulnerable.

Check Version:

mvn --version | grep 'Apache Maven'

Verify Fix Applied:

After upgrading to 3.8.1+, verify Maven no longer follows http repository references by default and check build logs for repository access patterns.

📡 Detection & Monitoring

Log Indicators:

Maven downloading artifacts from unexpected repositories
HTTP (non-HTTPS) repository access in build logs
Repository URLs in dependency POMs being resolved

Network Indicators:

Outbound connections to unknown repositories during builds
HTTP traffic to repository domains

SIEM Query:

source="maven-build.log" AND ("Downloading from" OR "repository") AND NOT ("https://" OR trusted-repository-domain)

📊 Metadata

CVE ID: CVE-2021-26291

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-346

Published: April 23, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26291, you might also want to check these: