On January 11th 2023, we were contacted by MinecraftOnline about two unusual and suspicious Gradle wrapper JARs found in some of their repositories. The wrappers were updated by a new contributor to MinecraftOnline.
We’ve performed an analysis of the JARs and will describe our findings below. We have determined that one exploit was especially crafted as an attack against the MinecraftOnline project.
If you are not interested in all of the details, jump immediately to our companion blog covering how to protect your project or you, as a developer, against similar attacks.
Our recent security report shows that supply chain attacks targeting the build process through the Gradle Wrapper exist in the wild. This blog post explains how to protect your project or you, as a developer, against similar attacks.
A build process, by design, executes code. The components of the build process all carry their own risks:
On 16th August 2022, Gradle Plugin Portal and the Gradle Discourse forums were impacted by a security incident that could have led to exposure of the personal data of some Gradle community members.
No other services, hosted on gradle.org, gradle.com, or elsewhere were impacted.
What happened?
An Amazon Web Services key granting access to database backups that contained personal information for a subset of the Gradle Plugin Portal and Discourse forum users was exposed in a Git commit. This key was exposed for two hours before being revoked.
We believe it is unlikely that the exposure led to an unauthorized access of data, but we are taking actions and notifying impacted individuals out of caution and transparency.
A critical remote code execution (RCE) vulnerability has been identified in the popular Apache Log4j logging library that affects versions 2.0 up to and including 2.14.1. This vulnerability has affected a very large number of JVM-based systems. For more information on the vulnerability itself, see CVE-2021-44228.
Update (December 22, 2021): Since the first post, two other vulnerabilities have been identified - CVE-2021-45046 and CVE-2021-45105 - so make sure to go over the different sections for updated instructions.
This vulnerability is being actively exploited. All Gradle users should assess whether their software projects are vulnerable and, if necessary, update to Log4j 2.17.0 or newer as soon as possible. We have provided instructions below on how to identify and...
Important update when publishing plugins to the Plugin Portal
A security vulnerability was reported to us on March 4th, 2020. This problem could allow an authorized person to overwrite plugin artifacts on the Plugin Portal if they had access to the build logs that published the plugin. After a thorough investigation, we found no artifacts were overwritten for a malicious purpose.
In response, we’ve published a new version of the com.gradle.plugin-publish plugin that contains an update to mitigate this security vulnerability.
Please upgrade com.gradle.plugin-publish plugin to version 0.11.0. Old versions of the com.gradle.plugin-publish plugin will no longer work. If you do not publish plugins to the Plugin Portal, you do not...
Searching across GitHub you can find many pull requests (PRs) with helpful titles like ‘Update to Gradle xxx’. Many of these PRs are contributed by individuals outside of the organization maintaining the project.
Maintainers are grateful for these kinds of contributions as it takes an item off of their backlog. But there are security implications of accepting changes to the Gradle Wrapper...
Starting in January 2020, Gradle services will only serve requests made with HTTPS. From that point on, all requests made with HTTP will be denied and any builds and artifact mirrors that use a Gradle URL with the non-secure HTTP protocol will fail.
If you are proxying our services through your own artifact servers like Artifactory or Nexus, you will need to ensure that you update your mirror configurations so they are using HTTPS instead of HTTP.
Gradle Services
This change will impact the following services.
Plugin Portal
By default, the Gradle build tool uses HTTPS when resolving plugins from the Plugin Portal. You should be unaffected if you do not declare a custom plugin repository.