You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by rv...@apache.org on 2023/04/26 10:24:17 UTC

[jena-site] 01/01: Advisory and doc updates for CVE-2023-22665

This is an automated email from the ASF dual-hosted git repository.

rvesse pushed a commit to branch cve-2023-22665
in repository https://gitbox.apache.org/repos/asf/jena-site.git

commit 425635805bb14fe30ed4318cbc502d7435e432cc
Author: Rob Vesse <ro...@telicent.io>
AuthorDate: Wed Apr 26 11:23:47 2023 +0100

    Advisory and doc updates for CVE-2023-22665
---
 source/about_jena/security-advisories.md           | 28 ++++++++++++++++------
 source/documentation/query/javascript-functions.md |  4 ++++
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/source/about_jena/security-advisories.md b/source/about_jena/security-advisories.md
index a2ad55547..87745f02e 100644
--- a/source/about_jena/security-advisories.md
+++ b/source/about_jena/security-advisories.md
@@ -50,9 +50,23 @@ policy above we advise users to always utilise the latest Jena release available
 
 Please refer to the individual CVE links for further details and mitigations.
 
+## CVE-2023-22665 - Exposure of arbitrary execution in script engine expressions.
+
+[CVE-2023](https://www.cve.org/CVERecord?id=CVE-2023-22665) affects Jena ?? through 4.7.0 and relates to the [Javascript
+SPARQL Functions](https://jena.apache.org/documentation/query/javascript-functions.html) feature of our ARQ SPARQL
+engine.
+
+From Jena 4.8.0 onwards this feature **MUST** be explicitly enabled by end users, and on newer JVMs (Java 17 onwards) a
+JavaScript script engine must be explicitly added to the environment.  However, when enabled this feature does expose
+the majority of the underlying scripting engine directly to SPARQL queries so may remain a vector for arbitrary code
+execution.  Therefore it is recommended that this feature remain disabled for any publicly accessible deployment that
+utilises the ARQ query engine.
+
+Users should upgrade to latest Jena 4.x [release](../download/) available.
+
 ## CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB
 
-[CVE-2022-45136](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45136) affects all versions of [Jena
+[CVE-2022-45136](https://www.cve.org/CVERecord?id=CVE-2022-45136) affects all versions of [Jena
 SDB](../documentation/archive/sdb/) up to and including the final `3.17.0` release.
 
 Apache Jena SDB has been EOL since December 2020 and we recommend any remaining users migrate to [Jena TDB
@@ -62,7 +76,7 @@ Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue
 
 ## CVE-2022-28890 - Processing External DTDs
 
-[CVE-2022-28890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28890) affects the RDF/XML parser in Jena 4.4.0
+[CVE-2022-28890](https://www.cve.org/CVERecord?id=CVE-2022-28890) affects the RDF/XML parser in Jena 4.4.0
 only.
 
 Users should upgrade to latest Jena 4.x [release](../download/) available.
@@ -72,13 +86,13 @@ report.
 
 ## CVE-2021-39239 - XML External Entity (XXE) Vulnerability
 
-[CVE-2021-39239](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39239) affects XML parsing up to and including the Jena `4.1.0` release.
+[CVE-2021-39239](https://www.cve.org/CVERecord?id=CVE-2021-39239) affects XML parsing up to and including the Jena `4.1.0` release.
 
 Users should upgrade to latest Jena 4.x [release](../download/) available.
 
 ## CVE-2021-33192 - Display information UI XSS in Apache Jena Fuseki
 
-[CVE-2021-33192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33192) affected
+[CVE-2021-33192](https://www.cve.org/CVERecord?id=CVE-2021-33192) affected
 [Fuseki](../documentation/fuseki2/) versions `2.0.0` through `4.0.0`.
 
 Users should upgrade to latest Jena 4.x [release](../download/) available.
@@ -91,9 +105,9 @@ and/or configuration changes have been adopted and released as soon as appropria
 
 ## log4shell
 
-[CVE-2021-45105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046),
-[CVE-2021-45105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105) and
-[CVE-2021-44832](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832), collectively known as
+[CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45046),
+[CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45105) and
+[CVE-2021-44832](https://www.cve.org/CVERecord?id=CVE-2021-44832), collectively known as
 [log4shell](https://en.wikipedia.org/wiki/Log4Shell) were several vulnerabilities identified in the [Apache
 Log4j](https://logging.apache.org/log4j/2.x/index.html) project that Jena uses as the concrete logging implementation
 for [Fuseki](../documentation/fuseki2/) and our command line tools.
diff --git a/source/documentation/query/javascript-functions.md b/source/documentation/query/javascript-functions.md
index 89176bb18..9cca68680 100644
--- a/source/documentation/query/javascript-functions.md
+++ b/source/documentation/query/javascript-functions.md
@@ -65,6 +65,10 @@ will execute on the data with the JavaScript functions from file
 JavaScript functions can also be set from a string directly from within Java using constant
 `ARQ.symJavaScriptFunctions` ("http://jena.apache.org/ARQ#js-functions").
 
+**WARNING:** Enabling this feature exposes the majority of the underlying scripting engine directly to SPARQL queries so
+may provide a vector for arbitrary code execution.  Therefore it is recommended that this feature remain disabled for
+any publicly accessible deployment that utilises the ARQ query engine.
+
 ## Using JavaScript functions
 
 SPARQL functions implemented in JavaScript are automatically called when a