blob: bef874b09cf66b68eb8d811f0ef7082da7f3a55e [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<title>Apache Jena - Jena Security Advisories</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
<link href="/css/bootstrap-icons.css" rel="stylesheet" media="screen">
<link href="/css/jena.css" rel="stylesheet" type="text/css">
<link rel="shortcut icon" href="/images/favicon.ico" />
</head>
<body>
<nav class="navbar navbar-expand-lg bg-body-tertiary" role="navigation">
<div class="container">
<div class="navbar-header">
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<a class="navbar-brand" href="/index.html">
<img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a>
</div>
<div class="collapse navbar-collapse" id="navbarNav">
<ul class="navbar-nav me-auto mb-2 mb-lg-0">
<li id="homepage" class="nav-item"><a class="nav-link" href="/index.html"><span class="bi-house"></span> Home</a></li>
<li id="download" class="nav-item"><a class="nav-link" href="/download/index.cgi"><span class="bi-download"></span> Download</a></li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal"></span> Learn <b class="caret"></b></a>
<ul class="dropdown-menu">
<li class="dropdown-header">Tutorials</li>
<li><a class="dropdown-item" href="/tutorials/index.html">Overview</a></li>
<li><a class="dropdown-item" href="/documentation/fuseki2/index.html">Fuseki Triplestore</a></li>
<li><a class="dropdown-item" href="/documentation/notes/index.html">How-To's</a></li>
<li><a class="dropdown-item" href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li>
<li><a class="dropdown-item" href="/tutorials/rdf_api.html">RDF core API tutorial</a></li>
<li><a class="dropdown-item" href="/tutorials/sparql.html">SPARQL tutorial</a></li>
<li><a class="dropdown-item" href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li>
<li class="dropdown-divider"></li>
<li class="dropdown-header">References</li>
<li><a class="dropdown-item" href="/documentation/index.html">Overview</a></li>
<li><a class="dropdown-item" href="/documentation/query/index.html">ARQ (SPARQL)</a></li>
<li><a class="dropdown-item" href="/documentation/assembler/index.html">Assembler</a></li>
<li><a class="dropdown-item" href="/documentation/tools/index.html">Command-line tools</a></li>
<li><a class="dropdown-item" href="/documentation/rdfs/">Data with RDFS Inferencing</a></li>
<li><a class="dropdown-item" href="/documentation/geosparql/index.html">GeoSPARQL</a></li>
<li><a class="dropdown-item" href="/documentation/inference/index.html">Inference API</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc.html">Javadoc</a></li>
<li><a class="dropdown-item" href="/documentation/ontology/">Ontology API</a></li>
<li><a class="dropdown-item" href="/documentation/permissions/index.html">Permissions</a></li>
<li><a class="dropdown-item" href="/documentation/extras/querybuilder/index.html">Query Builder</a></li>
<li><a class="dropdown-item" href="/documentation/rdf/index.html">RDF API</a></li>
<li><a class="dropdown-item" href="/documentation/rdfconnection/">RDF Connection - SPARQL API</a></li>
<li><a class="dropdown-item" href="/documentation/io/">RDF I/O</a></li>
<li><a class="dropdown-item" href="/documentation/rdfstar/index.html">RDF-star</a></li>
<li><a class="dropdown-item" href="/documentation/shacl/index.html">SHACL</a></li>
<li><a class="dropdown-item" href="/documentation/shex/index.html">ShEx</a></li>
<li><a class="dropdown-item" href="/documentation/jdbc/index.html">SPARQL over JDBC</a></li>
<li><a class="dropdown-item" href="/documentation/tdb/index.html">TDB</a></li>
<li><a class="dropdown-item" href="/documentation/tdb2/index.html">TDB2</a></li>
<li><a class="dropdown-item" href="/documentation/query/text-query.html">Text Search</a></li>
</ul>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal-code"></span> Javadoc <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/documentation/javadoc.html">All Javadoc</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/arq/">ARQ</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/fuseki2/">Fuseki</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/geosparql/">GeoSPARQL</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/jdbc/">JDBC</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/jena/">Jena Core</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/permissions/">Permissions</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/extras/querybuilder/">Query Builder</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/shacl/">SHACL</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/tdb/">TDB</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/text/">Text Search</a></li>
</ul>
</li>
</ul>
<ul class="navbar-nav ms-auto">
<li id="ask" class="nav-item"><a class="nav-link" href="/help_and_support/index.html"><span class="bi-patch-question"></span> Ask</a></li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-megaphone"></span> Get involved <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/getting_involved/index.html">Contribute</a></li>
<li><a class="dropdown-item" href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li>
<li class="dropdown-divider"></li>
<li class="dropdown-header">Project</li>
<li><a class="dropdown-item" href="/about_jena/about.html">About Jena</a></li>
<li><a class="dropdown-item" href="/about_jena/architecture.html">Architecture</a></li>
<li><a class="dropdown-item" href="/about_jena/citing.html">Citing</a></li>
<li><a class="dropdown-item" href="/about_jena/team.html">Project team</a></li>
<li><a class="dropdown-item" href="/about_jena/contributions.html">Related projects</a></li>
<li><a class="dropdown-item" href="/about_jena/roadmap.html">Roadmap</a></li>
<li><a class="dropdown-item" href="/about_jena/security-advisories.html">Security Advisories</a></li>
<li class="dropdown-divider"></li>
<li class="dropdown-header">ASF</li>
<li><a class="dropdown-item" href="https://www.apache.org/">Apache Software Foundation</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/licenses/LICENSE-2.0">License</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/security/">Security</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
</ul>
</li>
<li class="nav-item" id="edit"><a class="nav-link" href="https://github.com/apache/jena-site/edit/main/source/about_jena/security-advisories.md" title="Edit this page on GitHub"><span class="bi-pencil-square"></span> Edit this page</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="row">
<div class="col-md-12">
<div id="breadcrumbs">
<ol class="breadcrumb mt-4 p-2 bg-body-tertiary">
<li class="breadcrumb-item"><a href='/about_jena'>ABOUT JENA</a></li>
<li class="breadcrumb-item active">SECURITY ADVISORIES</li>
</ol>
</div>
<h1 class="title">Jena Security Advisories</h1>
<p>The Jena project has issued a number of security advisories during the lifetime of the project. On this page you&rsquo;ll
find details of our <a href="#process">security issue process</a>, as well as a listing of our past <a href="#jena-cves">CVEs</a> as well as relevant <a href="#cves-in-jena-dependencies">Dependency CVEs</a>.</p>
<h2 id="process">Process</h2>
<p>Jena follows the standard <a href="https://www.apache.org/security/committers.html">ASF Security for Committers</a> policy for
reporting and addressing security issues.</p>
<p>If you think you have identified a Security issue in our project please refer to that policy for how to report it, and
the process that the Jena Project Management Committee (PMC) will follow in addressing the issue.</p>
<h2 id="single-supported-version">Single Supported Version</h2>
<p>As a project, Apache Jena only has the resources to maintain a single release
version. Any accepted security issue will be fixed in a future release in a timeframe appropriate to the severity of the issue.</p>
<h2 id="standard-mitigation-advice">Standard Mitigation Advice</h2>
<p>Note that as a project our guidance to users is <strong>always</strong> to use the newest Jena version available to ensure you have
any security fixes we have made available.</p>
<p>Where more specific mitigations are available these will be denoted in the individual CVEs.</p>
<h2 id="end-of-life-eol-components">End of Life (EOL) Components</h2>
<p>Where a security advisory is issued for a component that is already EOL (sometimes referred to as archived or retired
within our documentation) then we will not fix the issue but instead reiterate our previous recommendations that users
cease using the EOL component and migrate to actively supported components.</p>
<p>Such issues will follow the <a href="https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html">CVE EOL Assignment
Process</a> and will be clearly denoted
by the <strong>UNSUPPORTED WHEN ASSIGNED</strong> text at the start of the description.</p>
<h2 id="security-issues-in-dependencies">Security Issues in Dependencies</h2>
<p>For our dependencies the project relies primarily upon GitHub Dependabot Alerts to be made aware of available dependency
updates, whether security related or otherwise. When a security related update is released and our analysis shows that
Jena users may be affected we endeavour to take the dependency upgrade ASAP and make a new release in timeframe
appropriate to the severity of the issue.</p>
<h1 id="jena-cves">Jena CVEs</h1>
<p>The following CVEs specifically relate to the Jena codebase itself and have been addressed by the project. Per our
policy above we advise users to always utilise the latest Jena release available.</p>
<p>Please refer to the individual CVE links for further details and mitigations.</p>
<h2 id="cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB</h2>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45136">CVE-2022-45136</a> affects all versions of <a href="../documentation/archive/sdb/">Jena
SDB</a> up to and including the final <code>3.17.0</code> release.</p>
<p>Apache Jena SDB has been EOL since December 2020 and we recommend any remaining users migrate to <a href="../documentation/tdb2/">Jena TDB
2</a> or other 3rd party vendor alternatives.</p>
<p>Apache Jena would like to thank Crilwa &amp; LaNyer640 for reporting this issue</p>
<h2 id="cve-2022-28890---processing-external-dtds">CVE-2022-28890 - Processing External DTDs</h2>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28890">CVE-2022-28890</a> affects the RDF/XML parser in Jena 4.4.0
only.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<p>Apache Jena would like to thank Feras Daragma, Avishag Shapira &amp; Amit Laish (GE Digital, Cyber Security Lab) for their
report.</p>
<h2 id="cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 - XML External Entity (XXE) Vulnerability</h2>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39239">CVE-2021-39239</a> affects XML parsing up to and including the Jena <code>4.1.0</code> release.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<h2 id="cve-2021-33192---display-information-ui-xss-in-apache-jena-fuseki">CVE-2021-33192 - Display information UI XSS in Apache Jena Fuseki</h2>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33192">CVE-2021-33192</a> affected
<a href="../documentation/fuseki2/">Fuseki</a> versions <code>2.0.0</code> through <code>4.0.0</code>.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<h1 id="cves-in-jena-dependencies">CVEs in Jena Dependencies</h1>
<p>The following advisories are CVEs in Jena&rsquo;s dependencies that may affect users of Jena, as with Jena specific CVEs our
standard <a href="#security-issue-policy">Security Issue Policy</a> applies and any necessary dependency updates, dependency API
and/or configuration changes have been adopted and released as soon as appropriate.</p>
<h2 id="log4shell">log4shell</h2>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046">CVE-2021-45105</a>,
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105">CVE-2021-45105</a> and
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832">CVE-2021-44832</a>, collectively known as
<a href="https://en.wikipedia.org/wiki/Log4Shell">log4shell</a> were several vulnerabilities identified in the <a href="https://logging.apache.org/log4j/2.x/index.html">Apache
Log4j</a> project that Jena uses as the concrete logging implementation
for <a href="../documentation/fuseki2/">Fuseki</a> and our command line tools.</p>
<p>Jena versions prior to <code>4.4.0</code> included vulnerable versions of Log4j.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
</div>
</div>
</div>
<footer class="bd-footer py-4 py-md-5 mt-4 mt-lg-5 bg-body-tertiary">
<div class="container" style="font-size:80%" >
<p>
Copyright &copy; 2011&ndash;2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
</p>
<p>
Apache Jena, Jena, the Apache Jena project logo, Apache and the Apache feather logos are trademarks of
The Apache Software Foundation.
<br/>
<a href="https://privacy.apache.org/policies/privacy-policy-public.html"
>Apache Software Foundation Privacy Policy</a>.
</p>
</div>
</footer>
<script src="/js/popper.min.js.js" type="text/javascript"></script>
<script src="/js/bootstrap.min.js" type="text/javascript"></script>
<script src="/js/improve.js" type="text/javascript"></script>
<script type="text/javascript">
const link = document.querySelector(`a[href="${window.location.pathname}"]`);
if (link !== undefined && link !== null) {
const parents = link.parentElement
for (const parent of parents) {
if (parent.tagName === 'ul' || parent.tagName === 'li') {
parent.style += 'active';
}
}
}
</script>
</body>
</html>