You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Brandon Sara <Br...@pointclickcare.com.INVALID> on 2023/05/31 16:17:51 UTC
CVE-2023-22665 Risk using Fuseki Pre 4.8.0
With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does not have custom scripts configured in any configurations? Is there only a risk if custom scripts are set up to be used by Fuseki or is there a risk regardless of configuration?
Thanks.
No PHI in Email: PointClickCare and Collective Medical, A PointClickCare Company, policies prohibit sending protected health information (PHI) by email, which may violate regulatory requirements. If sending PHI is necessary, please contact the sender for secure delivery instructions.
Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
Posted by Andy Seaborne <an...@apache.org>.
On 02/06/2023 17:26, Brandon Sara wrote:
> And just to be clear, this code would execute on the Fuseki server, correct?
I'm not sure what "this code" refers to.
A way to be safe is to run Fuseki with a Java17 runtime.
What is appropriate in your environment is something you have to decide.
The software is provided "without warranties or conditions of any kind".
Keeping up-to-date with software releases is good practice and that
applies to Java itself.
Unless you are running the WAR file, the choice of Java version to run
Fuseki is controlled in the server script.
Moving to Java17 as a requirement for Jena generally is something on the
project's radar.
Andy
>
> On Jun 2, 2023, at 3:20 AM, Andy Seaborne <an...@apache.org> wrote:
>
> "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
>
> The advice from the project is to upgrade or at least run in a Java17+
> environment, otherwise anything may be possible.
>
> Andy
>
> On 01/06/2023 17:57, Brandon Sara wrote:
>> Ok. When you say “arbitrary function”, could one craft and run code that makes HTTP calls (via XMLHttpRequest or the fetch API, for example)? We don’t have sensitive data in our store, but I want to make sure that no one could make queries to other servers via queries to Fuseki.
>>
>> On Jun 1, 2023, at 7:16 AM, Andy Seaborne <an...@apache.org> wrote:
>>
>> "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
>>
>>
>> On 01/06/2023 09:42, Rob @ DNR wrote:
>>> Yes, prior to 4.8.0 users can craft a query that calls arbitrary JavaScript functions even if you have not explicitly configured custom scripts.
>>>
>>> As discussed on our Security Advisories page [1] the projects advice is always to use the latest version available.
>>>
>>> Or as already noted in this thread run using Java 17 as that does not have a script engine embedded by default. Java code is generally forward compatible safe so even though the project releases builds made to target Java 11 it’s fine to run that on a newer JVM.
>>
>> A Jena release is compiled with Java17 at the moment, producing Java11
>> bytecode. This is done to work around Javadoc issues; some improvements
>> haven't been backported to the Java11 codeline.
>>
>> We have Jenkins jobs for Java11, Java17 and Java-latest.
>>
>> There are also github actions in the project codebase.
>>
>> The project policy has always been "2 versions of Java" which we have
>> interpreted nowadays as two LTS. Java21 is Sept this year and, barring a
>> change of plan by OpenJDK, will be LTS.
>>
>> Andy
Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
Posted by Brandon Sara <Br...@pointclickcare.com.INVALID>.
And just to be clear, this code would execute on the Fuseki server, correct?
On Jun 2, 2023, at 3:20 AM, Andy Seaborne <an...@apache.org> wrote:
"EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
The advice from the project is to upgrade or at least run in a Java17+
environment, otherwise anything may be possible.
Andy
On 01/06/2023 17:57, Brandon Sara wrote:
> Ok. When you say “arbitrary function”, could one craft and run code that makes HTTP calls (via XMLHttpRequest or the fetch API, for example)? We don’t have sensitive data in our store, but I want to make sure that no one could make queries to other servers via queries to Fuseki.
>
> On Jun 1, 2023, at 7:16 AM, Andy Seaborne <an...@apache.org> wrote:
>
> "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
>
>
> On 01/06/2023 09:42, Rob @ DNR wrote:
>> Yes, prior to 4.8.0 users can craft a query that calls arbitrary JavaScript functions even if you have not explicitly configured custom scripts.
>>
>> As discussed on our Security Advisories page [1] the projects advice is always to use the latest version available.
>>
>> Or as already noted in this thread run using Java 17 as that does not have a script engine embedded by default. Java code is generally forward compatible safe so even though the project releases builds made to target Java 11 it’s fine to run that on a newer JVM.
>
> A Jena release is compiled with Java17 at the moment, producing Java11
> bytecode. This is done to work around Javadoc issues; some improvements
> haven't been backported to the Java11 codeline.
>
> We have Jenkins jobs for Java11, Java17 and Java-latest.
>
> There are also github actions in the project codebase.
>
> The project policy has always been "2 versions of Java" which we have
> interpreted nowadays as two LTS. Java21 is Sept this year and, barring a
> change of plan by OpenJDK, will be LTS.
>
> Andy
>
>>
>> Is there any particular reason you haven’t yet upgraded to 4.8.0?
>>
>> Rob
>>
>> [1]: https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice<https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice><https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice<https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice>>
>>
>> From: Brandon Sara <Br...@pointclickcare.com.INVALID>
>> Date: Thursday, 1 June 2023 at 02:05
>> To: users@jena.apache.org <us...@jena.apache.org>
>> Subject: Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
>> I’m running with a version built and run with java 11. Given this, is there still a risk/concern if I don’t have custom scripts configured at all on the Fuseki server?
>>
>> On May 31, 2023, at 12:06 PM, Andy Seaborne <an...@apache.org> wrote:
>>
>> "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
>>
>>
>>
>> On 31/05/2023 17:17, Brandon Sara wrote:
>>>
>>> With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does not have custom scripts configured in any configurations? Is there only a risk if custom scripts are set up to be used by Fuseki or is there a risk regardless of configuration?
>>>
>>> Thanks.
>>
>> Java17 does not have javascript engine, unless the deployment adds one.
>>
>> So running on a Java17 means that scripts can't execute.
>>
>> The issue is Java11, where there is a script engine in the JVM runtime.
>>
>> Andy
>>
>> https://openjdk.org/jeps/372<https://openjdk.org/jeps/372><https://openjdk.org/jeps/372<https://openjdk.org/jeps/372>><https://openjdk.org/jeps/372<https://openjdk.org/jeps/372><https://openjdk.org/jeps/372<https://openjdk.org/jeps/372>>><https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e<https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e><https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e<https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e>>>
>> Nashorn removed at Java15.
>>
>>
>> No PHI in Email: PointClickCare and Collective Medical, A PointClickCare Company, policies prohibit sending protected health information (PHI) by email, which may violate regulatory requirements. If sending PHI is necessary, please contact the sender for secure delivery instructions.
>>
>> Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
>>
>
Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
Posted by Andy Seaborne <an...@apache.org>.
The advice from the project is to upgrade or at least run in a Java17+
environment, otherwise anything may be possible.
Andy
On 01/06/2023 17:57, Brandon Sara wrote:
> Ok. When you say “arbitrary function”, could one craft and run code that makes HTTP calls (via XMLHttpRequest or the fetch API, for example)? We don’t have sensitive data in our store, but I want to make sure that no one could make queries to other servers via queries to Fuseki.
>
> On Jun 1, 2023, at 7:16 AM, Andy Seaborne <an...@apache.org> wrote:
>
> "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
>
>
> On 01/06/2023 09:42, Rob @ DNR wrote:
>> Yes, prior to 4.8.0 users can craft a query that calls arbitrary JavaScript functions even if you have not explicitly configured custom scripts.
>>
>> As discussed on our Security Advisories page [1] the projects advice is always to use the latest version available.
>>
>> Or as already noted in this thread run using Java 17 as that does not have a script engine embedded by default. Java code is generally forward compatible safe so even though the project releases builds made to target Java 11 it’s fine to run that on a newer JVM.
>
> A Jena release is compiled with Java17 at the moment, producing Java11
> bytecode. This is done to work around Javadoc issues; some improvements
> haven't been backported to the Java11 codeline.
>
> We have Jenkins jobs for Java11, Java17 and Java-latest.
>
> There are also github actions in the project codebase.
>
> The project policy has always been "2 versions of Java" which we have
> interpreted nowadays as two LTS. Java21 is Sept this year and, barring a
> change of plan by OpenJDK, will be LTS.
>
> Andy
>
>>
>> Is there any particular reason you haven’t yet upgraded to 4.8.0?
>>
>> Rob
>>
>> [1]: https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice<https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice>
>>
>> From: Brandon Sara <Br...@pointclickcare.com.INVALID>
>> Date: Thursday, 1 June 2023 at 02:05
>> To: users@jena.apache.org <us...@jena.apache.org>
>> Subject: Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
>> I’m running with a version built and run with java 11. Given this, is there still a risk/concern if I don’t have custom scripts configured at all on the Fuseki server?
>>
>> On May 31, 2023, at 12:06 PM, Andy Seaborne <an...@apache.org> wrote:
>>
>> "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
>>
>>
>>
>> On 31/05/2023 17:17, Brandon Sara wrote:
>>>
>>> With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does not have custom scripts configured in any configurations? Is there only a risk if custom scripts are set up to be used by Fuseki or is there a risk regardless of configuration?
>>>
>>> Thanks.
>>
>> Java17 does not have javascript engine, unless the deployment adds one.
>>
>> So running on a Java17 means that scripts can't execute.
>>
>> The issue is Java11, where there is a script engine in the JVM runtime.
>>
>> Andy
>>
>> https://openjdk.org/jeps/372<https://openjdk.org/jeps/372><https://openjdk.org/jeps/372<https://openjdk.org/jeps/372>><https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e<https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e>>
>> Nashorn removed at Java15.
>>
>>
>> No PHI in Email: PointClickCare and Collective Medical, A PointClickCare Company, policies prohibit sending protected health information (PHI) by email, which may violate regulatory requirements. If sending PHI is necessary, please contact the sender for secure delivery instructions.
>>
>> Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
>>
>
Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
Posted by Brandon Sara <Br...@pointclickcare.com.INVALID>.
Ok. When you say “arbitrary function”, could one craft and run code that makes HTTP calls (via XMLHttpRequest or the fetch API, for example)? We don’t have sensitive data in our store, but I want to make sure that no one could make queries to other servers via queries to Fuseki.
On Jun 1, 2023, at 7:16 AM, Andy Seaborne <an...@apache.org> wrote:
"EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
On 01/06/2023 09:42, Rob @ DNR wrote:
> Yes, prior to 4.8.0 users can craft a query that calls arbitrary JavaScript functions even if you have not explicitly configured custom scripts.
>
> As discussed on our Security Advisories page [1] the projects advice is always to use the latest version available.
>
> Or as already noted in this thread run using Java 17 as that does not have a script engine embedded by default. Java code is generally forward compatible safe so even though the project releases builds made to target Java 11 it’s fine to run that on a newer JVM.
A Jena release is compiled with Java17 at the moment, producing Java11
bytecode. This is done to work around Javadoc issues; some improvements
haven't been backported to the Java11 codeline.
We have Jenkins jobs for Java11, Java17 and Java-latest.
There are also github actions in the project codebase.
The project policy has always been "2 versions of Java" which we have
interpreted nowadays as two LTS. Java21 is Sept this year and, barring a
change of plan by OpenJDK, will be LTS.
Andy
>
> Is there any particular reason you haven’t yet upgraded to 4.8.0?
>
> Rob
>
> [1]: https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice<https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice>
>
> From: Brandon Sara <Br...@pointclickcare.com.INVALID>
> Date: Thursday, 1 June 2023 at 02:05
> To: users@jena.apache.org <us...@jena.apache.org>
> Subject: Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
> I’m running with a version built and run with java 11. Given this, is there still a risk/concern if I don’t have custom scripts configured at all on the Fuseki server?
>
> On May 31, 2023, at 12:06 PM, Andy Seaborne <an...@apache.org> wrote:
>
> "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
>
>
>
> On 31/05/2023 17:17, Brandon Sara wrote:
>>
>> With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does not have custom scripts configured in any configurations? Is there only a risk if custom scripts are set up to be used by Fuseki or is there a risk regardless of configuration?
>>
>> Thanks.
>
> Java17 does not have javascript engine, unless the deployment adds one.
>
> So running on a Java17 means that scripts can't execute.
>
> The issue is Java11, where there is a script engine in the JVM runtime.
>
> Andy
>
> https://openjdk.org/jeps/372<https://openjdk.org/jeps/372><https://openjdk.org/jeps/372<https://openjdk.org/jeps/372>><https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e<https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e>>
> Nashorn removed at Java15.
>
>
> No PHI in Email: PointClickCare and Collective Medical, A PointClickCare Company, policies prohibit sending protected health information (PHI) by email, which may violate regulatory requirements. If sending PHI is necessary, please contact the sender for secure delivery instructions.
>
> Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
>
Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
Posted by Andy Seaborne <an...@apache.org>.
On 01/06/2023 09:42, Rob @ DNR wrote:
> Yes, prior to 4.8.0 users can craft a query that calls arbitrary JavaScript functions even if you have not explicitly configured custom scripts.
>
> As discussed on our Security Advisories page [1] the projects advice is always to use the latest version available.
>
> Or as already noted in this thread run using Java 17 as that does not have a script engine embedded by default. Java code is generally forward compatible safe so even though the project releases builds made to target Java 11 it’s fine to run that on a newer JVM.
A Jena release is compiled with Java17 at the moment, producing Java11
bytecode. This is done to work around Javadoc issues; some improvements
haven't been backported to the Java11 codeline.
We have Jenkins jobs for Java11, Java17 and Java-latest.
There are also github actions in the project codebase.
The project policy has always been "2 versions of Java" which we have
interpreted nowadays as two LTS. Java21 is Sept this year and, barring a
change of plan by OpenJDK, will be LTS.
Andy
>
> Is there any particular reason you haven’t yet upgraded to 4.8.0?
>
> Rob
>
> [1]: https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice
>
> From: Brandon Sara <Br...@pointclickcare.com.INVALID>
> Date: Thursday, 1 June 2023 at 02:05
> To: users@jena.apache.org <us...@jena.apache.org>
> Subject: Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
> I’m running with a version built and run with java 11. Given this, is there still a risk/concern if I don’t have custom scripts configured at all on the Fuseki server?
>
> On May 31, 2023, at 12:06 PM, Andy Seaborne <an...@apache.org> wrote:
>
> "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
>
>
>
> On 31/05/2023 17:17, Brandon Sara wrote:
>>
>> With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does not have custom scripts configured in any configurations? Is there only a risk if custom scripts are set up to be used by Fuseki or is there a risk regardless of configuration?
>>
>> Thanks.
>
> Java17 does not have javascript engine, unless the deployment adds one.
>
> So running on a Java17 means that scripts can't execute.
>
> The issue is Java11, where there is a script engine in the JVM runtime.
>
> Andy
>
> https://openjdk.org/jeps/372<https://openjdk.org/jeps/372><https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e>
> Nashorn removed at Java15.
>
>
> No PHI in Email: PointClickCare and Collective Medical, A PointClickCare Company, policies prohibit sending protected health information (PHI) by email, which may violate regulatory requirements. If sending PHI is necessary, please contact the sender for secure delivery instructions.
>
> Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
>
Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
Posted by "Rob @ DNR" <rv...@dotnetrdf.org>.
Yes, prior to 4.8.0 users can craft a query that calls arbitrary JavaScript functions even if you have not explicitly configured custom scripts.
As discussed on our Security Advisories page [1] the projects advice is always to use the latest version available.
Or as already noted in this thread run using Java 17 as that does not have a script engine embedded by default. Java code is generally forward compatible safe so even though the project releases builds made to target Java 11 it’s fine to run that on a newer JVM.
Is there any particular reason you haven’t yet upgraded to 4.8.0?
Rob
[1]: https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice
From: Brandon Sara <Br...@pointclickcare.com.INVALID>
Date: Thursday, 1 June 2023 at 02:05
To: users@jena.apache.org <us...@jena.apache.org>
Subject: Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
I’m running with a version built and run with java 11. Given this, is there still a risk/concern if I don’t have custom scripts configured at all on the Fuseki server?
On May 31, 2023, at 12:06 PM, Andy Seaborne <an...@apache.org> wrote:
"EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
On 31/05/2023 17:17, Brandon Sara wrote:
>
> With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does not have custom scripts configured in any configurations? Is there only a risk if custom scripts are set up to be used by Fuseki or is there a risk regardless of configuration?
>
> Thanks.
Java17 does not have javascript engine, unless the deployment adds one.
So running on a Java17 means that scripts can't execute.
The issue is Java11, where there is a script engine in the JVM runtime.
Andy
https://openjdk.org/jeps/372<https://openjdk.org/jeps/372><https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e>
Nashorn removed at Java15.
No PHI in Email: PointClickCare and Collective Medical, A PointClickCare Company, policies prohibit sending protected health information (PHI) by email, which may violate regulatory requirements. If sending PHI is necessary, please contact the sender for secure delivery instructions.
Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
Posted by Brandon Sara <Br...@pointclickcare.com.INVALID>.
I’m running with a version built and run with java 11. Given this, is there still a risk/concern if I don’t have custom scripts configured at all on the Fuseki server?
On May 31, 2023, at 12:06 PM, Andy Seaborne <an...@apache.org> wrote:
"EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization.
On 31/05/2023 17:17, Brandon Sara wrote:
>
> With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does not have custom scripts configured in any configurations? Is there only a risk if custom scripts are set up to be used by Fuseki or is there a risk regardless of configuration?
>
> Thanks.
Java17 does not have javascript engine, unless the deployment adds one.
So running on a Java17 means that scripts can't execute.
The issue is Java11, where there is a script engine in the JVM runtime.
Andy
https://openjdk.org/jeps/372<https://openjdk.org/jeps/372>
Nashorn removed at Java15.
No PHI in Email: PointClickCare and Collective Medical, A PointClickCare Company, policies prohibit sending protected health information (PHI) by email, which may violate regulatory requirements. If sending PHI is necessary, please contact the sender for secure delivery instructions.
Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0
Posted by Andy Seaborne <an...@apache.org>.
On 31/05/2023 17:17, Brandon Sara wrote:
>
> With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does not have custom scripts configured in any configurations? Is there only a risk if custom scripts are set up to be used by Fuseki or is there a risk regardless of configuration?
>
> Thanks.
Java17 does not have javascript engine, unless the deployment adds one.
So running on a Java17 means that scripts can't execute.
The issue is Java11, where there is a script engine in the JVM runtime.
Andy
https://openjdk.org/jeps/372
Nashorn removed at Java15.