The Jena project has issued a number of security advisories during the lifetime of the project. On this page you'll find details of our security issue process, as well as a listing of our past CVEs as well as relevant Dependency CVEs.
Jena follows the standard ASF Security for Committers policy for reporting and addressing security issues.
If you think you have identified a Security issue in our project please refer to that policy for how to report it, and the process that the Jena Project Management Committee (PMC) will follow in addressing the issue.
As a project, Apache Jena only has the resources to maintain a single release version. Any accepted security issue will be fixed in a future release in a timeframe appropriate to the severity of the issue.
Note that as a project our guidance to users is always to use the newest Jena version available to ensure you have any security fixes we have made available.
Where more specific mitigations are available these will be denoted in the individual CVEs.
Where a security advisory is issued for a component that is already EOL (sometimes referred to as archived or retired within our documentation) then we will not fix the issue but instead reiterate our previous recommendations that users cease using the EOL component and migrate to actively supported components.
Such issues will follow the CVE EOL Assignment Process and will be clearly denoted by the UNSUPPORTED WHEN ASSIGNED text at the start of the description.
For our dependencies the project relies primarily upon GitHub Dependabot Alerts to be made aware of available dependency updates, whether security related or otherwise. When a security related update is released and our analysis shows that Jena users may be affected we endeavour to take the dependency upgrade ASAP and make a new release in timeframe appropriate to the severity of the issue.
The following CVEs specifically relate to the Jena codebase itself and have been addressed by the project. Per our policy above we advise users to always utilise the latest Jena release available.
Please refer to the individual CVE links for further details and mitigations.
CVE-2022-45136 affects all versions of Jena SDB up to and including the final 3.17.0 release.
Apache Jena SDB has been EOL since December 2020 and we recommend any remaining users migrate to Jena TDB 2 or other 3rd party vendor alternatives.
Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue
CVE-2022-28890 affects the RDF/XML parser in Jena 4.4.0 only.
Users should upgrade to latest Jena 4.x release available.
Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish (GE Digital, Cyber Security Lab) for their report.
CVE-2021-39239 affects XML parsing up to and including the Jena 4.1.0 release.
Users should upgrade to latest Jena 4.x release available.
CVE-2021-33192 affected Fuseki versions 2.0.0 through 4.0.0.
Users should upgrade to latest Jena 4.x release available.
The following advisories are CVEs in Jena's dependencies that may affect users of Jena, as with Jena specific CVEs our standard Security Issue Policy applies and any necessary dependency updates, dependency API and/or configuration changes have been adopted and released as soon as appropriate.
CVE-2021-45105, CVE-2021-45105 and CVE-2021-44832, collectively known as log4shell were several vulnerabilities identified in the Apache Log4j project that Jena uses as the concrete logging implementation for Fuseki and our command line tools.
Jena versions prior to 4.4.0 included vulnerable versions of Log4j.
Users should upgrade to latest Jena 4.x release available.