The Eclipse Foundation has disclosed a security incident that could have affected artifacts on repo.eclipse.org due to a leak of deployment credentials for the Nexus application running on repo.eclipse.org.

The Eclipse Foundation is a not-for-profit, member supported the corporation that hosts the Eclipse projects. The Eclipse Foundation is one of the world's leading open-source software foundations, steward of the Eclipse IDE, enterprise Java, and the Eclipse MicroProfile.

According to Mikaël Barbero, a senior platform developer at the Eclipse Foundation, the organization was alerted about secrets in the main Jiro repository on February 16th, 2021. These secrets were encrypted deployment credentials for the Nexus application running on repo.eclipse.org, including the master password. Although the master password was not stored in clear text, it could be easily decoded and used to decrypt the credentials.

The leaked credentials had full control (read/write/delete) over all Maven repositories stored at repo.eclipse.org Barbero explained, and potentially allowed a malicious actor to remove published items, inject a malicious code in some jars, or modify some pom.xml files to add/change dependencies so that downstream consumers would fetch those dependencies (with potentially malicious code).

Upon confirming the issue the organization immediately revoked the leaked credentials, removed them from the git repository and deployed new credentials to all Jenkins instances requiring deployment capabilities.

“We managed to validate — to the best of our knowledge — that no release artifacts were tainted because of this leak. Unfortunately, we can’t do much for the snapshot artifacts. We know that about 13k of them are signed jars, but for the rest, it’s impossible to deny or confirm anything,” Barbero said. “The leaked credentials were granting full control on all Maven repositories, but only over the REST API. It means that the last modified time (mtime) of the files on the file system could not be forged by a potential malicious user.”

The Eclipse Foundation says it will take measures to prevent future incidents:

• We will stop generating secrets inside the git repo folder so that such a file can never be committed again. Note that we were already having a .gitignore with the proper rules, but for some reasons it has not been enough.

• We will enforce code reviews for all code submissions to sensitive CBI repositories.

• We will grant permissions to projects only on repositories associated with the projects. This will help contain the potential radius blast of such a leak, would it happen again in the future.