Google Git
Sign in
apache / jena-site / refs/heads/asf-site / . / content / about_jena / security-advisories.html
blob: f0eb014e9b8aca964831d4b3f1fb19f4a6e913b0 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<title>Apache Jena - Jena Security Advisories</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
<link href="/css/bootstrap-icons.css" rel="stylesheet" media="screen"><link rel="stylesheet" type="text/css" href="https://jena.apache.org/sass/jena.1b17c39a117e22b46db4c66f6395dc27c134a60377d87d2d5745b8600eb69722.css" integrity="sha256-GxfDmhF&#43;IrRttMZvY5XcJ8E0pgN32H0tV0W4YA62lyI=">
<link rel="shortcut icon" href="/images/favicon.ico" />
</head>
<body>
<nav class="navbar navbar-expand-lg bg-body-tertiary" role="navigation">
<div class="container">
<div class="navbar-header">
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<a class="navbar-brand" href="/index.html">
<img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a>
</div>
<div class="collapse navbar-collapse" id="navbarNav">
<ul class="navbar-nav me-auto mb-2 mb-lg-0">
<li id="homepage" class="nav-item"><a class="nav-link" href="/index.html"><span class="bi-house"></span> Home</a></li>
<li id="download" class="nav-item"><a class="nav-link" href="/download/index.cgi"><span class="bi-download"></span> Download</a></li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal"></span> Learn <b class="caret"></b></a>
<ul class="dropdown-menu">
<li class="dropdown-header">Tutorials</li>
<li><a class="dropdown-item" href="/tutorials/index.html">Overview</a></li>
<li><a class="dropdown-item" href="/documentation/fuseki2/index.html">Fuseki Triplestore</a></li>
<li><a class="dropdown-item" href="/documentation/notes/index.html">How-To's</a></li>
<li><a class="dropdown-item" href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li>
<li><a class="dropdown-item" href="/tutorials/rdf_api.html">RDF core API tutorial</a></li>
<li><a class="dropdown-item" href="/tutorials/sparql.html">SPARQL tutorial</a></li>
<li><a class="dropdown-item" href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li>
<li class="dropdown-divider"></li>
<li class="dropdown-header">References</li>
<li><a class="dropdown-item" href="/documentation/index.html">Overview</a></li>
<li><a class="dropdown-item" href="/documentation/query/index.html">ARQ (SPARQL)</a></li>
<li><a class="dropdown-item" href="/documentation/io/">RDF I/O</a></li>
<li><a class="dropdown-item" href="/documentation/assembler/index.html">Assembler</a></li>
<li><a class="dropdown-item" href="/documentation/tools/index.html">Command-line tools</a></li>
<li><a class="dropdown-item" href="/documentation/rdfs/">Data with RDFS Inferencing</a></li>
<li><a class="dropdown-item" href="/documentation/geosparql/index.html">GeoSPARQL</a></li>
<li><a class="dropdown-item" href="/documentation/inference/index.html">Inference API</a></li>
<li><a class="dropdown-item" href="/documentation/ontology/">Ontology API</a></li>
<li><a class="dropdown-item" href="/documentation/permissions/index.html">Permissions</a></li>
<li><a class="dropdown-item" href="/documentation/extras/querybuilder/index.html">Query Builder</a></li>
<li><a class="dropdown-item" href="/documentation/rdf/index.html">RDF API</a></li>
<li><a class="dropdown-item" href="/documentation/rdfconnection/">RDF Connection - SPARQL API</a></li>
<li><a class="dropdown-item" href="/documentation/rdfstar/index.html">RDF-star</a></li>
<li><a class="dropdown-item" href="/documentation/shacl/index.html">SHACL</a></li>
<li><a class="dropdown-item" href="/documentation/shex/index.html">ShEx</a></li>
<li><a class="dropdown-item" href="/documentation/tdb/index.html">TDB</a></li>
<li><a class="dropdown-item" href="/documentation/tdb2/index.html">TDB2</a></li>
<li><a class="dropdown-item" href="/documentation/query/text-query.html">Text Search</a></li>
</ul>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal-code"></span> Javadoc <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/documentation/javadoc.html">All Javadoc</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/arq/">ARQ</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/fuseki2/">Fuseki</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/geosparql/">GeoSPARQL</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/jena/">Jena Core</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/permissions/">Permissions</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/extras/querybuilder/">Query Builder</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/shacl/">SHACL</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/tdb/">TDB</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/text/">Text Search</a></li>
</ul>
</li>
</ul>
<form class="d-flex" role="search" action="/search" method="GET">
<div class="input-group">
<input class="form-control border-end-0 border m-0" type="search" name="q" id="search-query" placeholder="Search...." aria-label="Search" style="width: 10rem;">
<button class="btn btn-outline-secondary border-start-0 border" type="submit">
<i class="bi-search"></i>
</button>
</div>
</form>
<ul class="navbar-nav">
<li id="ask" class="nav-item"><a class="nav-link" href="/help_and_support/index.html" title="Ask"><span class="bi-patch-question"></span><span class="text-body d-none d-xxl-inline"> Ask</span></a></li>
<li class="nav-item dropdown">
<a href="#" title="Get involved" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-megaphone"></span><span class="text-body d-none d-xxl-inline"> Get involved </span><b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/getting_involved/index.html">Contribute</a></li>
<li><a class="dropdown-item" href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li>
<li class="dropdown-divider"></li>
<li class="dropdown-header">Project</li>
<li><a class="dropdown-item" href="/about_jena/about.html">About Jena</a></li>
<li><a class="dropdown-item" href="/about_jena/architecture.html">Architecture</a></li>
<li><a class="dropdown-item" href="/about_jena/citing.html">Citing</a></li>
<li><a class="dropdown-item" href="/about_jena/team.html">Project team</a></li>
<li><a class="dropdown-item" href="/about_jena/contributions.html">Related projects</a></li>
<li><a class="dropdown-item" href="/about_jena/roadmap.html">Roadmap</a></li>
<li><a class="dropdown-item" href="/about_jena/security-advisories.html">Security Advisories</a></li>
<li class="dropdown-divider"></li>
<li class="dropdown-header">ASF</li>
<li><a class="dropdown-item" href="https://www.apache.org/">Apache Software Foundation</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/licenses/LICENSE-2.0">License</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/security/">Security</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
</ul>
</li>
<li class="nav-item" id="edit"><a class="nav-link" href="https://github.com/apache/jena-site/edit/main/source/about_jena/security-advisories.md" title="Edit this page on GitHub"><span class="bi-pencil-square"></span><span class="text-body d-none d-xxl-inline"> Edit this page</span></a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="row">
<div class="col-md-12">
<div id="breadcrumbs">
<ol class="breadcrumb mt-4 p-2 bg-body-tertiary">
<li class="breadcrumb-item"><a href='/about_jena'>ABOUT JENA</a></li>
<li class="breadcrumb-item active">SECURITY ADVISORIES</li>
</ol>
</div>
<h1 class="title">Jena Security Advisories</h1>
<main class="d-flex flex-xl-row flex-column">
<aside class="text-muted align-self-start mb-3 p-0 d-xl-none d-block">
<h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2>
<nav id="TableOfContents">
<ul>
<li><a href="#process">Process</a></li>
<li><a href="#jena-cves">Jena CVEs</a></li>
<li><a href="#dependencies">Dependencies</a></li>
</ul>
</nav>
</aside>
<article class="flex-column me-lg-4">
<p>The Jena project has issued a number of security advisories during the lifetime
of the project. On this page you&rsquo;ll find details of our <a href="#process">security issue
process</a>, as a listing of our past <a href="#jena-cves">CVEs</a> and relevant
<a href="#cves-in-jena-dependencies">Dependency CVEs</a>.</p>
<h2 id="process">Process</h2>
<p>Jena follows the standard <a href="https://www.apache.org/security/committers.html">ASF Security for
Committers</a> policy for
reporting and addressing security issues.</p>
<p>If you think you have identified a Security issue in our project please refer to
that policy for how to report it, and the process that the Jena Project
Management Committee (PMC) will follow in addressing the issue.</p>
<p><strong>Single Supported Version</strong></p>
<p>As a project, Apache Jena only has the resources to maintain a single release
version. Any accepted security issue will be fixed in a future release in a
timeframe appropriate to the severity of the issue.</p>
<p><strong>Standard Mitigation Advice</strong></p>
<p>Note that as a project our guidance to users is <em>always</em> to use the newest
Jena version available to ensure you have any security fixes we have made
available.</p>
<p>Where more specific mitigations are available, these will be denoted in the
individual CVEs.</p>
<p><strong>End of Life (EOL) Components</strong></p>
<p>Where a security advisory is issued for a component that is already EOL
(sometimes referred to as archived or retired within our documentation) then we
will not fix the issue but instead reiterate our previous recommendations that
users cease using the EOL component and migrate to actively supported
components.</p>
<p>Such issues will follow the <a href="https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html">CVE EOL Assignment
Process</a>
and will be clearly denoted by the &ldquo;<em>UNSUPPORTED WHEN ASSIGNED</em>&rdquo; text at the
start of the description.</p>
<p><strong>Security Issues in Dependencies</strong></p>
<p>For our dependencies, the project relies primarily upon GitHub Dependabot Alerts
to be made aware of available dependency updates, whether security related or
otherwise. When a security related update is released and our analysis shows
that Jena users may be affected we endeavour to take the dependency upgrade ASAP
and make a new release in timeframe appropriate to the severity of the issue.</p>
<h2 id="jena-cves">Jena CVEs</h2>
<p>The following CVEs specifically relate to the Jena codebase itself and have been
addressed by the project. Per our policy above we advise users to always utilise
the latest Jena release available.</p>
<p>Please refer to the individual CVE links for further details and mitigations.</p>
<p><strong>CVE-2023-32200 - Exposure of execution in script engine expressions</strong></p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2023-32200">CVE-2023-32200</a> affects Jena
3.7.0 through Jena 4.8.0 and relates to the <a href="https://jena.apache.org/documentation/query/javascript-functions.html">Javascript SPARQL
Functions</a>
feature of our ARQ SPARQL engine.</p>
<p>There is insufficient restrictions of called script functions in Apache Jena
versions 4.8.0 and earlier, when invoking custom scripts. It allows a remote
user to execute javascript via a SPARQL query.</p>
<p>From Jena 4.9.0, script functions <strong>MUST</strong> be added to an explicit &ldquo;allow&rdquo; list
for them to be called from the SPARQL query engine. This is in addition to the
script enabling controls of Jena 4.8.0 which <strong>MUST</strong> also be applied.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<p><strong>CVE-2023-22665 - Exposure of arbitrary execution in script engine expressions</strong></p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2023-22665">CVE-2023-22665</a> affects Jena
3.7.0 through 4.7.0 and relates to the <a href="https://jena.apache.org/documentation/query/javascript-functions.html">Javascript SPARQL
Functions</a>
feature of our ARQ SPARQL engine.</p>
<p>From Jena 4.8.0 onwards this feature <strong>MUST</strong> be explicitly enabled by end
users, and on newer JVMs (Java 17 onwards) a JavaScript script engine <strong>MUST</strong>
be explicitly added to the environment.</p>
<p>However, when enabled this feature does expose the majority of the underlying
scripting engine directly to SPARQL queries so may provide a vector for
arbitrary code execution. Therefore, it is recommended that this feature remain
disabled for any publicly accessible deployment that utilises the ARQ query
engine.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<p><strong>CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB</strong></p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2022-45136">CVE-2022-45136</a> affects all
versions of <a href="../documentation/archive/sdb/">Jena SDB</a> up to and including the
final <code>3.17.0</code> release.</p>
<p>Apache Jena SDB has been EOL since December 2020 and we recommend any remaining
users migrate to <a href="../documentation/tdb2/">Jena TDB 2</a> or other 3rd party vendor
alternatives.</p>
<p>Apache Jena would like to thank Crilwa &amp; LaNyer640 for reporting this issue</p>
<p><strong>CVE-2022-28890 - Processing External DTD</strong></p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2022-28890">CVE-2022-28890</a> affects the
RDF/XML parser in Jena 4.4.0 only.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<p>Apache Jena would like to thank Feras Daragma, Avishag Shapira &amp; Amit Laish (GE
Digital, Cyber Security Lab) for their report.</p>
<p><strong>CVE-2021-39239 - XML External Entity (XXE) Vulnerabilit</strong></p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2021-39239">CVE-2021-39239</a> affects XML
parsing up to and including the Jena <code>4.1.0</code> release.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<p><strong>CVE-2021-33192 - Display information UI XSS in Apache Jena Fusek</strong></p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2021-33192">CVE-2021-33192</a> affected
<a href="../documentation/fuseki2/">Fuseki</a> versions <code>2.0.0</code> through <code>4.0.0</code>.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<h2 id="dependencies">Dependencies</h2>
<p>The following advisories are CVEs in Jena&rsquo;s dependencies that may affect users
of Jena, as with Jena specific CVEs our standard <a href="#security-issue-policy">Security Issue
Policy</a> applies and any necessary dependency updates,
dependency API and/or configuration changes have been adopted and released as
soon as appropriate.</p>
<p><strong>log4j2</strong></p>
<p><a href="https://www.cve.org/CVERecord?id=CVE-2021-45046">CVE-2021-45105</a>,
<a href="https://www.cve.org/CVERecord?id=CVE-2021-45105">CVE-2021-45105</a> and
<a href="https://www.cve.org/CVERecord?id=CVE-2021-44832">CVE-2021-44832</a>,
collectively known as <a href="https://en.wikipedia.org/wiki/Log4Shell">log4shell</a> were
several vulnerabilities identified in the <a href="https://logging.apache.org/log4j/2.x/index.html">Apache
Log4j</a> project that Jena uses
as the concrete logging implementation for <a href="../documentation/fuseki2/">Fuseki</a>
and our command line tools.</p>
<p>Jena versions prior to <code>4.4.0</code> included vulnerable versions of Log4j.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
</article>
<aside class="text-muted align-self-start mb-3 mb-xl-5 p-0 d-none d-xl-flex flex-column sticky-top">
<h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2>
<nav id="TableOfContents">
<ul>
<li><a href="#process">Process</a></li>
<li><a href="#jena-cves">Jena CVEs</a></li>
<li><a href="#dependencies">Dependencies</a></li>
</ul>
</nav>
</aside>
</main>
</div>
</div>
</div>
<footer class="bd-footer py-4 py-md-5 mt-4 mt-lg-5 bg-body-tertiary">
<div class="container" style="font-size:80%" >
<p>
Copyright &copy; 2011&ndash;2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
</p>
<p>
Apache Jena, Jena, the Apache Jena project logo, Apache and the Apache feather logos are trademarks of
The Apache Software Foundation.
<br/>
<a href="https://privacy.apache.org/policies/privacy-policy-public.html"
>Apache Software Foundation Privacy Policy</a>.
</p>
</div>
</footer>
<script src="/js/popper.min.js.js" type="text/javascript"></script>
<script src="/js/bootstrap.min.js" type="text/javascript"></script>
<script src="/js/improve.js" type="text/javascript"></script>
<script type="text/javascript">
(function() {
'use strict'
const links = document.querySelectorAll(`a[href="${window.location.pathname}"]`)
if (links !== undefined && links !== null) {
for (const link of links) {
link.classList.add('active')
let parentElement = link.parentElement
let count = 0
const levelsLimit = 4
while (['UL', 'LI'].includes(parentElement.tagName) && count <= levelsLimit) {
if (parentElement.tagName === 'LI') {
parentElement.querySelector('a:first-child').classList.add('active')
}
parentElement = parentElement.parentElement
count++
}
}
}
})()
</script>
</body>
</html>