| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| |
| |
| <title>Apache Jena - Jena Security Advisories</title> |
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| |
| <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen"> |
| <link href="/css/bootstrap-icons.css" rel="stylesheet" media="screen"><link rel="stylesheet" type="text/css" href="https://jena.apache.org/sass/jena.1b17c39a117e22b46db4c66f6395dc27c134a60377d87d2d5745b8600eb69722.css" integrity="sha256-GxfDmhF+IrRttMZvY5XcJ8E0pgN32H0tV0W4YA62lyI="> |
| <link rel="shortcut icon" href="/images/favicon.ico" /> |
| |
| </head> |
| |
| <body> |
| |
| <nav class="navbar navbar-expand-lg bg-body-tertiary" role="navigation"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation"> |
| <span class="navbar-toggler-icon"></span> |
| </button> |
| <a class="navbar-brand" href="/index.html"> |
| <img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a> |
| </div> |
| |
| <div class="collapse navbar-collapse" id="navbarNav"> |
| <ul class="navbar-nav me-auto mb-2 mb-lg-0"> |
| <li id="homepage" class="nav-item"><a class="nav-link" href="/index.html"><span class="bi-house"></span> Home</a></li> |
| <li id="download" class="nav-item"><a class="nav-link" href="/download/index.cgi"><span class="bi-download"></span> Download</a></li> |
| <li class="nav-item dropdown"> |
| <a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal"></span> Learn <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li class="dropdown-header">Tutorials</li> |
| <li><a class="dropdown-item" href="/tutorials/index.html">Overview</a></li> |
| <li><a class="dropdown-item" href="/documentation/fuseki2/index.html">Fuseki Triplestore</a></li> |
| <li><a class="dropdown-item" href="/documentation/notes/index.html">How-To's</a></li> |
| <li><a class="dropdown-item" href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li> |
| <li><a class="dropdown-item" href="/tutorials/rdf_api.html">RDF core API tutorial</a></li> |
| <li><a class="dropdown-item" href="/tutorials/sparql.html">SPARQL tutorial</a></li> |
| <li><a class="dropdown-item" href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li> |
| <li class="dropdown-divider"></li> |
| <li class="dropdown-header">References</li> |
| <li><a class="dropdown-item" href="/documentation/index.html">Overview</a></li> |
| <li><a class="dropdown-item" href="/documentation/query/index.html">ARQ (SPARQL)</a></li> |
| <li><a class="dropdown-item" href="/documentation/io/">RDF I/O</a></li> |
| <li><a class="dropdown-item" href="/documentation/assembler/index.html">Assembler</a></li> |
| <li><a class="dropdown-item" href="/documentation/tools/index.html">Command-line tools</a></li> |
| <li><a class="dropdown-item" href="/documentation/rdfs/">Data with RDFS Inferencing</a></li> |
| <li><a class="dropdown-item" href="/documentation/geosparql/index.html">GeoSPARQL</a></li> |
| <li><a class="dropdown-item" href="/documentation/inference/index.html">Inference API</a></li> |
| <li><a class="dropdown-item" href="/documentation/ontology/">Ontology API</a></li> |
| <li><a class="dropdown-item" href="/documentation/permissions/index.html">Permissions</a></li> |
| <li><a class="dropdown-item" href="/documentation/extras/querybuilder/index.html">Query Builder</a></li> |
| <li><a class="dropdown-item" href="/documentation/rdf/index.html">RDF API</a></li> |
| <li><a class="dropdown-item" href="/documentation/rdfconnection/">RDF Connection - SPARQL API</a></li> |
| <li><a class="dropdown-item" href="/documentation/rdfstar/index.html">RDF-star</a></li> |
| <li><a class="dropdown-item" href="/documentation/shacl/index.html">SHACL</a></li> |
| <li><a class="dropdown-item" href="/documentation/shex/index.html">ShEx</a></li> |
| <li><a class="dropdown-item" href="/documentation/tdb/index.html">TDB</a></li> |
| <li><a class="dropdown-item" href="/documentation/tdb2/index.html">TDB2</a></li> |
| <li><a class="dropdown-item" href="/documentation/query/text-query.html">Text Search</a></li> |
| </ul> |
| </li> |
| |
| <li class="nav-item dropdown"> |
| <a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal-code"></span> Javadoc <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a class="dropdown-item" href="/documentation/javadoc.html">All Javadoc</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/arq/">ARQ</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/fuseki2/">Fuseki</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/geosparql/">GeoSPARQL</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/jena/">Jena Core</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/permissions/">Permissions</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/extras/querybuilder/">Query Builder</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/shacl/">SHACL</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/tdb/">TDB</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/text/">Text Search</a></li> |
| </ul> |
| </li> |
| </ul> |
| <form class="d-flex" role="search" action="/search" method="GET"> |
| <div class="input-group"> |
| <input class="form-control border-end-0 border m-0" type="search" name="q" id="search-query" placeholder="Search...." aria-label="Search" style="width: 10rem;"> |
| <button class="btn btn-outline-secondary border-start-0 border" type="submit"> |
| <i class="bi-search"></i> |
| </button> |
| </div> |
| </form> |
| <ul class="navbar-nav"> |
| <li id="ask" class="nav-item"><a class="nav-link" href="/help_and_support/index.html" title="Ask"><span class="bi-patch-question"></span><span class="text-body d-none d-xxl-inline"> Ask</span></a></li> |
| |
| <li class="nav-item dropdown"> |
| <a href="#" title="Get involved" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-megaphone"></span><span class="text-body d-none d-xxl-inline"> Get involved </span><b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a class="dropdown-item" href="/getting_involved/index.html">Contribute</a></li> |
| <li><a class="dropdown-item" href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li> |
| <li class="dropdown-divider"></li> |
| <li class="dropdown-header">Project</li> |
| <li><a class="dropdown-item" href="/about_jena/about.html">About Jena</a></li> |
| <li><a class="dropdown-item" href="/about_jena/architecture.html">Architecture</a></li> |
| <li><a class="dropdown-item" href="/about_jena/citing.html">Citing</a></li> |
| <li><a class="dropdown-item" href="/about_jena/team.html">Project team</a></li> |
| <li><a class="dropdown-item" href="/about_jena/contributions.html">Related projects</a></li> |
| <li><a class="dropdown-item" href="/about_jena/roadmap.html">Roadmap</a></li> |
| <li><a class="dropdown-item" href="/about_jena/security-advisories.html">Security Advisories</a></li> |
| <li class="dropdown-divider"></li> |
| <li class="dropdown-header">ASF</li> |
| <li><a class="dropdown-item" href="https://www.apache.org/">Apache Software Foundation</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/licenses/LICENSE-2.0">License</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/security/">Security</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> |
| </ul> |
| </li> |
| |
| |
| |
| |
| <li class="nav-item" id="edit"><a class="nav-link" href="https://github.com/apache/jena-site/edit/main/source/about_jena/security-advisories.md" title="Edit this page on GitHub"><span class="bi-pencil-square"></span><span class="text-body d-none d-xxl-inline"> Edit this page</span></a></li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| |
| <div class="container"> |
| <div class="row"> |
| <div class="col-md-12"> |
| |
| <div id="breadcrumbs"> |
|
|
|
|
|
|
|
|
|
|
|
|
| <ol class="breadcrumb mt-4 p-2 bg-body-tertiary">
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| <li class="breadcrumb-item"><a href='/about_jena'>ABOUT JENA</a></li>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| <li class="breadcrumb-item active">SECURITY ADVISORIES</li>
|
|
|
|
|
|
|
|
|
| </ol>
|
|
|
|
|
|
|
| |
| </div> |
| <h1 class="title">Jena Security Advisories</h1> |
| |
| |
| <main class="d-flex flex-xl-row flex-column"> |
| |
| <aside class="text-muted align-self-start mb-3 p-0 d-xl-none d-block"> |
| <h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2> |
| <nav id="TableOfContents"> |
| <ul> |
| <li><a href="#process">Process</a></li> |
| <li><a href="#jena-cves">Jena CVEs</a></li> |
| <li><a href="#dependencies">Dependencies</a></li> |
| </ul> |
| </nav> |
| </aside> |
| <article class="flex-column me-lg-4"> |
| <p>The Jena project has issued a number of security advisories during the lifetime |
| of the project. On this page you’ll find details of our <a href="#process">security issue |
| process</a>, as a listing of our past <a href="#jena-cves">CVEs</a> and relevant |
| <a href="#cves-in-jena-dependencies">Dependency CVEs</a>.</p> |
| <h2 id="process">Process</h2> |
| <p>Jena follows the standard <a href="https://www.apache.org/security/committers.html">ASF Security for |
| Committers</a> policy for |
| reporting and addressing security issues.</p> |
| <p>If you think you have identified a Security issue in our project please refer to |
| that policy for how to report it, and the process that the Jena Project |
| Management Committee (PMC) will follow in addressing the issue.</p> |
| <p><strong>Single Supported Version</strong></p> |
| <p>As a project, Apache Jena only has the resources to maintain a single release |
| version. Any accepted security issue will be fixed in a future release in a |
| timeframe appropriate to the severity of the issue.</p> |
| <p><strong>Standard Mitigation Advice</strong></p> |
| <p>Note that as a project our guidance to users is <em>always</em> to use the newest |
| Jena version available to ensure you have any security fixes we have made |
| available.</p> |
| <p>Where more specific mitigations are available, these will be denoted in the |
| individual CVEs.</p> |
| <p><strong>End of Life (EOL) Components</strong></p> |
| <p>Where a security advisory is issued for a component that is already EOL |
| (sometimes referred to as archived or retired within our documentation) then we |
| will not fix the issue but instead reiterate our previous recommendations that |
| users cease using the EOL component and migrate to actively supported |
| components.</p> |
| <p>Such issues will follow the <a href="https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html">CVE EOL Assignment |
| Process</a> |
| and will be clearly denoted by the “<em>UNSUPPORTED WHEN ASSIGNED</em>” text at the |
| start of the description.</p> |
| <p><strong>Security Issues in Dependencies</strong></p> |
| <p>For our dependencies, the project relies primarily upon GitHub Dependabot Alerts |
| to be made aware of available dependency updates, whether security related or |
| otherwise. When a security related update is released and our analysis shows |
| that Jena users may be affected we endeavour to take the dependency upgrade ASAP |
| and make a new release in timeframe appropriate to the severity of the issue.</p> |
| <h2 id="jena-cves">Jena CVEs</h2> |
| <p>The following CVEs specifically relate to the Jena codebase itself and have been |
| addressed by the project. Per our policy above we advise users to always utilise |
| the latest Jena release available.</p> |
| <p>Please refer to the individual CVE links for further details and mitigations.</p> |
| <p><strong>CVE-2023-32200 - Exposure of execution in script engine expressions</strong></p> |
| <p><a href="https://www.cve.org/CVERecord?id=CVE-2023-32200">CVE-2023-32200</a> affects Jena |
| 3.7.0 through Jena 4.8.0 and relates to the <a href="https://jena.apache.org/documentation/query/javascript-functions.html">Javascript SPARQL |
| Functions</a> |
| feature of our ARQ SPARQL engine.</p> |
| <p>There is insufficient restrictions of called script functions in Apache Jena |
| versions 4.8.0 and earlier, when invoking custom scripts. It allows a remote |
| user to execute javascript via a SPARQL query.</p> |
| <p>From Jena 4.9.0, script functions <strong>MUST</strong> be added to an explicit “allow” list |
| for them to be called from the SPARQL query engine. This is in addition to the |
| script enabling controls of Jena 4.8.0 which <strong>MUST</strong> also be applied.</p> |
| <p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p> |
| <p><strong>CVE-2023-22665 - Exposure of arbitrary execution in script engine expressions</strong></p> |
| <p><a href="https://www.cve.org/CVERecord?id=CVE-2023-22665">CVE-2023-22665</a> affects Jena |
| 3.7.0 through 4.7.0 and relates to the <a href="https://jena.apache.org/documentation/query/javascript-functions.html">Javascript SPARQL |
| Functions</a> |
| feature of our ARQ SPARQL engine.</p> |
| <p>From Jena 4.8.0 onwards this feature <strong>MUST</strong> be explicitly enabled by end |
| users, and on newer JVMs (Java 17 onwards) a JavaScript script engine <strong>MUST</strong> |
| be explicitly added to the environment.</p> |
| <p>However, when enabled this feature does expose the majority of the underlying |
| scripting engine directly to SPARQL queries so may provide a vector for |
| arbitrary code execution. Therefore, it is recommended that this feature remain |
| disabled for any publicly accessible deployment that utilises the ARQ query |
| engine.</p> |
| <p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p> |
| <p><strong>CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB</strong></p> |
| <p><a href="https://www.cve.org/CVERecord?id=CVE-2022-45136">CVE-2022-45136</a> affects all |
| versions of <a href="../documentation/archive/sdb/">Jena SDB</a> up to and including the |
| final <code>3.17.0</code> release.</p> |
| <p>Apache Jena SDB has been EOL since December 2020 and we recommend any remaining |
| users migrate to <a href="../documentation/tdb2/">Jena TDB 2</a> or other 3rd party vendor |
| alternatives.</p> |
| <p>Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue</p> |
| <p><strong>CVE-2022-28890 - Processing External DTD</strong></p> |
| <p><a href="https://www.cve.org/CVERecord?id=CVE-2022-28890">CVE-2022-28890</a> affects the |
| RDF/XML parser in Jena 4.4.0 only.</p> |
| <p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p> |
| <p>Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish (GE |
| Digital, Cyber Security Lab) for their report.</p> |
| <p><strong>CVE-2021-39239 - XML External Entity (XXE) Vulnerabilit</strong></p> |
| <p><a href="https://www.cve.org/CVERecord?id=CVE-2021-39239">CVE-2021-39239</a> affects XML |
| parsing up to and including the Jena <code>4.1.0</code> release.</p> |
| <p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p> |
| <p><strong>CVE-2021-33192 - Display information UI XSS in Apache Jena Fusek</strong></p> |
| <p><a href="https://www.cve.org/CVERecord?id=CVE-2021-33192">CVE-2021-33192</a> affected |
| <a href="../documentation/fuseki2/">Fuseki</a> versions <code>2.0.0</code> through <code>4.0.0</code>.</p> |
| <p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p> |
| <h2 id="dependencies">Dependencies</h2> |
| <p>The following advisories are CVEs in Jena’s dependencies that may affect users |
| of Jena, as with Jena specific CVEs our standard <a href="#security-issue-policy">Security Issue |
| Policy</a> applies and any necessary dependency updates, |
| dependency API and/or configuration changes have been adopted and released as |
| soon as appropriate.</p> |
| <p><strong>log4j2</strong></p> |
| <p><a href="https://www.cve.org/CVERecord?id=CVE-2021-45046">CVE-2021-45105</a>, |
| <a href="https://www.cve.org/CVERecord?id=CVE-2021-45105">CVE-2021-45105</a> and |
| <a href="https://www.cve.org/CVERecord?id=CVE-2021-44832">CVE-2021-44832</a>, |
| collectively known as <a href="https://en.wikipedia.org/wiki/Log4Shell">log4shell</a> were |
| several vulnerabilities identified in the <a href="https://logging.apache.org/log4j/2.x/index.html">Apache |
| Log4j</a> project that Jena uses |
| as the concrete logging implementation for <a href="../documentation/fuseki2/">Fuseki</a> |
| and our command line tools.</p> |
| <p>Jena versions prior to <code>4.4.0</code> included vulnerable versions of Log4j.</p> |
| <p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p> |
| |
| </article> |
| |
| <aside class="text-muted align-self-start mb-3 mb-xl-5 p-0 d-none d-xl-flex flex-column sticky-top"> |
| <h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2> |
| <nav id="TableOfContents"> |
| <ul> |
| <li><a href="#process">Process</a></li> |
| <li><a href="#jena-cves">Jena CVEs</a></li> |
| <li><a href="#dependencies">Dependencies</a></li> |
| </ul> |
| </nav> |
| </aside> |
| </main> |
| |
| </div> |
| </div> |
| </div> |
| |
| <footer class="bd-footer py-4 py-md-5 mt-4 mt-lg-5 bg-body-tertiary"> |
| <div class="container" style="font-size:80%" > |
| <p> |
| Copyright © 2011–2024 The Apache Software Foundation, Licensed under the |
| <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. |
| </p> |
| <p> |
| Apache Jena, Jena, the Apache Jena project logo, Apache and the Apache feather logos are trademarks of |
| The Apache Software Foundation. |
| <br/> |
| <a href="https://privacy.apache.org/policies/privacy-policy-public.html" |
| >Apache Software Foundation Privacy Policy</a>. |
| </p> |
| </div> |
| </footer> |
| |
| <script src="/js/popper.min.js.js" type="text/javascript"></script> |
| <script src="/js/bootstrap.min.js" type="text/javascript"></script> |
| <script src="/js/improve.js" type="text/javascript"></script> |
| |
| <script type="text/javascript"> |
| (function() { |
| 'use strict' |
| |
| |
| |
| const links = document.querySelectorAll(`a[href="${window.location.pathname}"]`) |
| if (links !== undefined && links !== null) { |
| for (const link of links) { |
| |
| link.classList.add('active') |
| let parentElement = link.parentElement |
| let count = 0 |
| const levelsLimit = 4 |
| |
| |
| |
| |
| |
| while (['UL', 'LI'].includes(parentElement.tagName) && count <= levelsLimit) { |
| if (parentElement.tagName === 'LI') { |
| |
| |
| |
| parentElement.querySelector('a:first-child').classList.add('active') |
| } |
| parentElement = parentElement.parentElement |
| count++ |
| } |
| } |
| } |
| })() |
| </script> |
| |
| </body> |
| </html> |