You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@jena.apache.org by rv...@apache.org on 2023/04/26 10:24:16 UTC

[jena-site] branch cve-2023-22665 created (now 425635805)

This is an automated email from the ASF dual-hosted git repository.

rvesse pushed a change to branch cve-2023-22665
in repository https://gitbox.apache.org/repos/asf/jena-site.git


      at 425635805 Advisory and doc updates for CVE-2023-22665

This branch includes the following new commits:

     new 425635805 Advisory and doc updates for CVE-2023-22665

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[jena-site] 01/01: Advisory and doc updates for CVE-2023-22665

Posted by rv...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

rvesse pushed a commit to branch cve-2023-22665
in repository https://gitbox.apache.org/repos/asf/jena-site.git

commit 425635805bb14fe30ed4318cbc502d7435e432cc
Author: Rob Vesse <ro...@telicent.io>
AuthorDate: Wed Apr 26 11:23:47 2023 +0100

    Advisory and doc updates for CVE-2023-22665
---
 source/about_jena/security-advisories.md           | 28 ++++++++++++++++------
 source/documentation/query/javascript-functions.md |  4 ++++
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/source/about_jena/security-advisories.md b/source/about_jena/security-advisories.md
index a2ad55547..87745f02e 100644
--- a/source/about_jena/security-advisories.md
+++ b/source/about_jena/security-advisories.md
@@ -50,9 +50,23 @@ policy above we advise users to always utilise the latest Jena release available
 
 Please refer to the individual CVE links for further details and mitigations.
 
+## CVE-2023-22665 - Exposure of arbitrary execution in script engine expressions.
+
+[CVE-2023](https://www.cve.org/CVERecord?id=CVE-2023-22665) affects Jena ?? through 4.7.0 and relates to the [Javascript
+SPARQL Functions](https://jena.apache.org/documentation/query/javascript-functions.html) feature of our ARQ SPARQL
+engine.
+
+From Jena 4.8.0 onwards this feature **MUST** be explicitly enabled by end users, and on newer JVMs (Java 17 onwards) a
+JavaScript script engine must be explicitly added to the environment.  However, when enabled this feature does expose
+the majority of the underlying scripting engine directly to SPARQL queries so may remain a vector for arbitrary code
+execution.  Therefore it is recommended that this feature remain disabled for any publicly accessible deployment that
+utilises the ARQ query engine.
+
+Users should upgrade to latest Jena 4.x [release](../download/) available.
+
 ## CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB
 
-[CVE-2022-45136](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45136) affects all versions of [Jena
+[CVE-2022-45136](https://www.cve.org/CVERecord?id=CVE-2022-45136) affects all versions of [Jena
 SDB](../documentation/archive/sdb/) up to and including the final `3.17.0` release.
 
 Apache Jena SDB has been EOL since December 2020 and we recommend any remaining users migrate to [Jena TDB
@@ -62,7 +76,7 @@ Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue
 
 ## CVE-2022-28890 - Processing External DTDs
 
-[CVE-2022-28890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28890) affects the RDF/XML parser in Jena 4.4.0
+[CVE-2022-28890](https://www.cve.org/CVERecord?id=CVE-2022-28890) affects the RDF/XML parser in Jena 4.4.0
 only.
 
 Users should upgrade to latest Jena 4.x [release](../download/) available.
@@ -72,13 +86,13 @@ report.
 
 ## CVE-2021-39239 - XML External Entity (XXE) Vulnerability
 
-[CVE-2021-39239](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39239) affects XML parsing up to and including the Jena `4.1.0` release.
+[CVE-2021-39239](https://www.cve.org/CVERecord?id=CVE-2021-39239) affects XML parsing up to and including the Jena `4.1.0` release.
 
 Users should upgrade to latest Jena 4.x [release](../download/) available.
 
 ## CVE-2021-33192 - Display information UI XSS in Apache Jena Fuseki
 
-[CVE-2021-33192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33192) affected
+[CVE-2021-33192](https://www.cve.org/CVERecord?id=CVE-2021-33192) affected
 [Fuseki](../documentation/fuseki2/) versions `2.0.0` through `4.0.0`.
 
 Users should upgrade to latest Jena 4.x [release](../download/) available.
@@ -91,9 +105,9 @@ and/or configuration changes have been adopted and released as soon as appropria
 
 ## log4shell
 
-[CVE-2021-45105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046),
-[CVE-2021-45105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105) and
-[CVE-2021-44832](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832), collectively known as
+[CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45046),
+[CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45105) and
+[CVE-2021-44832](https://www.cve.org/CVERecord?id=CVE-2021-44832), collectively known as
 [log4shell](https://en.wikipedia.org/wiki/Log4Shell) were several vulnerabilities identified in the [Apache
 Log4j](https://logging.apache.org/log4j/2.x/index.html) project that Jena uses as the concrete logging implementation
 for [Fuseki](../documentation/fuseki2/) and our command line tools.
diff --git a/source/documentation/query/javascript-functions.md b/source/documentation/query/javascript-functions.md
index 89176bb18..9cca68680 100644
--- a/source/documentation/query/javascript-functions.md
+++ b/source/documentation/query/javascript-functions.md
@@ -65,6 +65,10 @@ will execute on the data with the JavaScript functions from file
 JavaScript functions can also be set from a string directly from within Java using constant
 `ARQ.symJavaScriptFunctions` ("http://jena.apache.org/ARQ#js-functions").
 
+**WARNING:** Enabling this feature exposes the majority of the underlying scripting engine directly to SPARQL queries so
+may provide a vector for arbitrary code execution.  Therefore it is recommended that this feature remain disabled for
+any publicly accessible deployment that utilises the ARQ query engine.
+
 ## Using JavaScript functions
 
 SPARQL functions implemented in JavaScript are automatically called when a