You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by Roland Cornelissen <me...@gmail.com> on 2017/10/19 15:13:04 UTC

Security vulnerabity?

Hi,

Could it be that the Jena library causes an XXE vulnerabilty? [1]
I am looking into this for a web application we are using and I'm not
sure on how to report/question such issues.

Thanks,
Roland

[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Re: Security vulnerabity?

Posted by Andy Seaborne <an...@apache.org>.

Roland,

There is no requirement to use RDF/XML.

To avoid this XML-related vulnerability, don't accept arbitrary, 
unctrolled RDF/XML but allow syntaxes such as Turtle or N-Triples, which 
don't have this remote inclusion feature.

They are faster to process as well.

     Andy

On 19/10/17 16:31, Rob Vesse wrote:
> Potentially yes, see https://issues.apache.org/jira/browse/JENA-1364
> 
>   There is a known vulnerability in the Apache Xerces Library we use, unfortunately there has not been an official Xerces release for quite sometime (Feb 2013 was the last). There had been some apparent discussion at finally making a new release around the time that the issue was reported to us but it has unfortunately not materialised.
> 
> The referenced JIRA issue describes end user workarounds which involve substituting an alternative build of that library
> 
> For general guidelines on how to Report security issues to any Apache project please see https://www.apache.org/security/
> 
> Rob
> 
> On 19/10/2017 16:13, "Roland Cornelissen" <me...@gmail.com> wrote:
> 
>      Hi,
>      
>      Could it be that the Jena library causes an XXE vulnerabilty? [1]
>      I am looking into this for a web application we are using and I'm not
>      sure on how to report/question such issues.
>      
>      Thanks,
>      Roland
>      
>      [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>      
>      
>      
> 
> 
> 
>

Re: Security vulnerabity?

Posted by Rob Vesse <rv...@dotnetrdf.org>.

Potentially yes, see https://issues.apache.org/jira/browse/JENA-1364

 There is a known vulnerability in the Apache Xerces Library we use, unfortunately there has not been an official Xerces release for quite sometime (Feb 2013 was the last). There had been some apparent discussion at finally making a new release around the time that the issue was reported to us but it has unfortunately not materialised.

The referenced JIRA issue describes end user workarounds which involve substituting an alternative build of that library

For general guidelines on how to Report security issues to any Apache project please see https://www.apache.org/security/

Rob

On 19/10/2017 16:13, "Roland Cornelissen" <me...@gmail.com> wrote:

    Hi,
    
    Could it be that the Jena library causes an XXE vulnerabilty? [1]
    I am looking into this for a web application we are using and I'm not
    sure on how to report/question such issues.
    
    Thanks,
    Roland
    
    [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing