You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by gi...@apache.org on 2023/04/27 08:56:48 UTC
[jena-site] branch asf-site updated: Updated site from main (5e0ccf2e4f402ecc0e7e38c43e66ebe1a3e9efd2)
This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/jena-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new d561f610b Updated site from main (5e0ccf2e4f402ecc0e7e38c43e66ebe1a3e9efd2)
d561f610b is described below
commit d561f610b1d51c1f3b35a213037971aa9cccad05
Author: jenkins <bu...@apache.org>
AuthorDate: Thu Apr 27 08:56:42 2023 +0000
Updated site from main (5e0ccf2e4f402ecc0e7e38c43e66ebe1a3e9efd2)
---
content/about_jena/security-advisories.html | 26 ++++++++++++++++------
.../documentation/query/javascript-functions.html | 3 +++
content/index.json | 2 +-
content/sitemap.xml | 8 +++----
4 files changed, 27 insertions(+), 12 deletions(-)
diff --git a/content/about_jena/security-advisories.html b/content/about_jena/security-advisories.html
index 977053521..00da06cd1 100644
--- a/content/about_jena/security-advisories.html
+++ b/content/about_jena/security-advisories.html
@@ -183,6 +183,7 @@
</ul>
<ul>
+ <li><a href="#cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665 - Exposure of arbitrary execution in script engine expressions.</a></li>
<li><a href="#cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB</a></li>
<li><a href="#cve-2022-28890---processing-external-dtds">CVE-2022-28890 - Processing External DTDs</a></li>
<li><a href="#cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 - XML External Entity (XXE) Vulnerability</a></li>
@@ -225,23 +226,33 @@ appropriate to the severity of the issue.</p>
<p>The following CVEs specifically relate to the Jena codebase itself and have been addressed by the project. Per our
policy above we advise users to always utilise the latest Jena release available.</p>
<p>Please refer to the individual CVE links for further details and mitigations.</p>
+<h2 id="cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665 - Exposure of arbitrary execution in script engine expressions.</h2>
+<p><a href="https://www.cve.org/CVERecord?id=CVE-2023-22665">CVE-2023</a> affects Jena 3.7.0 through 4.7.0 and relates to the
+<a href="https://jena.apache.org/documentation/query/javascript-functions.html">Javascript SPARQL Functions</a> feature of our ARQ
+SPARQL engine.</p>
+<p>From Jena 4.8.0 onwards this feature <strong>MUST</strong> be explicitly enabled by end users, and on newer JVMs (Java 17 onwards) a
+JavaScript script engine <strong>MUST</strong> be explicitly added to the environment.</p>
+<p>However, when enabled this feature does expose the majority of the underlying scripting engine directly to SPARQL
+queries so may provide a vector for arbitrary code execution. Therefore, it is recommended that this feature remain
+disabled for any publicly accessible deployment that utilises the ARQ query engine.</p>
+<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<h2 id="cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB</h2>
-<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45136">CVE-2022-45136</a> affects all versions of <a href="../documentation/archive/sdb/">Jena
+<p><a href="https://www.cve.org/CVERecord?id=CVE-2022-45136">CVE-2022-45136</a> affects all versions of <a href="../documentation/archive/sdb/">Jena
SDB</a> up to and including the final <code>3.17.0</code> release.</p>
<p>Apache Jena SDB has been EOL since December 2020 and we recommend any remaining users migrate to <a href="../documentation/tdb2/">Jena TDB
2</a> or other 3rd party vendor alternatives.</p>
<p>Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue</p>
<h2 id="cve-2022-28890---processing-external-dtds">CVE-2022-28890 - Processing External DTDs</h2>
-<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28890">CVE-2022-28890</a> affects the RDF/XML parser in Jena 4.4.0
+<p><a href="https://www.cve.org/CVERecord?id=CVE-2022-28890">CVE-2022-28890</a> affects the RDF/XML parser in Jena 4.4.0
only.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<p>Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish (GE Digital, Cyber Security Lab) for their
report.</p>
<h2 id="cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 - XML External Entity (XXE) Vulnerability</h2>
-<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39239">CVE-2021-39239</a> affects XML parsing up to and including the Jena <code>4.1.0</code> release.</p>
+<p><a href="https://www.cve.org/CVERecord?id=CVE-2021-39239">CVE-2021-39239</a> affects XML parsing up to and including the Jena <code>4.1.0</code> release.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<h2 id="cve-2021-33192---display-information-ui-xss-in-apache-jena-fuseki">CVE-2021-33192 - Display information UI XSS in Apache Jena Fuseki</h2>
-<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33192">CVE-2021-33192</a> affected
+<p><a href="https://www.cve.org/CVERecord?id=CVE-2021-33192">CVE-2021-33192</a> affected
<a href="../documentation/fuseki2/">Fuseki</a> versions <code>2.0.0</code> through <code>4.0.0</code>.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a> available.</p>
<h1 id="cves-in-jena-dependencies">CVEs in Jena Dependencies</h1>
@@ -249,9 +260,9 @@ report.</p>
standard <a href="#security-issue-policy">Security Issue Policy</a> applies and any necessary dependency updates, dependency API
and/or configuration changes have been adopted and released as soon as appropriate.</p>
<h2 id="log4shell">log4shell</h2>
-<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046">CVE-2021-45105</a>,
-<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105">CVE-2021-45105</a> and
-<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832">CVE-2021-44832</a>, collectively known as
+<p><a href="https://www.cve.org/CVERecord?id=CVE-2021-45046">CVE-2021-45105</a>,
+<a href="https://www.cve.org/CVERecord?id=CVE-2021-45105">CVE-2021-45105</a> and
+<a href="https://www.cve.org/CVERecord?id=CVE-2021-44832">CVE-2021-44832</a>, collectively known as
<a href="https://en.wikipedia.org/wiki/Log4Shell">log4shell</a> were several vulnerabilities identified in the <a href="https://logging.apache.org/log4j/2.x/index.html">Apache
Log4j</a> project that Jena uses as the concrete logging implementation
for <a href="../documentation/fuseki2/">Fuseki</a> and our command line tools.</p>
@@ -272,6 +283,7 @@ for <a href="../documentation/fuseki2/">Fuseki</a> and our command line tools.</
</ul>
<ul>
+ <li><a href="#cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665 - Exposure of arbitrary execution in script engine expressions.</a></li>
<li><a href="#cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB</a></li>
<li><a href="#cve-2022-28890---processing-external-dtds">CVE-2022-28890 - Processing External DTDs</a></li>
<li><a href="#cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 - XML External Entity (XXE) Vulnerability</a></li>
diff --git a/content/documentation/query/javascript-functions.html b/content/documentation/query/javascript-functions.html
index 4d3116eb0..bce078be2 100644
--- a/content/documentation/query/javascript-functions.html
+++ b/content/documentation/query/javascript-functions.html
@@ -241,6 +241,9 @@ sparql --set arq:js-library=SomeFile.js --data ... --query ...
“SomeFile.js” available.</p>
<p>JavaScript functions can also be set from a string directly from within Java using constant
<code>ARQ.symJavaScriptFunctions</code> (“<a href="http://jena.apache.org/ARQ#js-functions%22)">http://jena.apache.org/ARQ#js-functions")</a>.</p>
+<p><strong>WARNING:</strong> Enabling this feature exposes the majority of the underlying scripting engine directly to SPARQL queries so
+may provide a vector for arbitrary code execution. Therefore it is recommended that this feature remain disabled for
+any publicly accessible deployment that utilises the ARQ query engine.</p>
<h2 id="using-javascript-functions">Using JavaScript functions</h2>
<p>SPARQL functions implemented in JavaScript are automatically called when a
URI starting “<a href="http://jena.apache.org/ARQ/jsFunction#%22">http://jena.apache.org/ARQ/jsFunction#"</a> used.</p>
diff --git a/content/index.json b/content/index.json
index f2aa11fda..390bde4dd 100644
--- a/content/index.json
+++ b/content/index.json
@@ -1 +1 @@
-[{"categories":null,"contents":"This page is historical \u0026ldquo;for information only\u0026rdquo; - there is no Apache release of Eyeball and the code has not been updated for Jena3.\nThe original source code is available. So you\u0026rsquo;ve got Eyeball installed and you\u0026rsquo;ve run it on one of your files, and Eyeball doesn\u0026rsquo;t like it. You\u0026rsquo;re not sure why, or what to do about it. Here\u0026rsquo;s what\u0026rsquo;s going on.\nEyeball inspects your model a [...]
\ No newline at end of file
+[{"categories":null,"contents":"This page is historical \u0026ldquo;for information only\u0026rdquo; - there is no Apache release of Eyeball and the code has not been updated for Jena3.\nThe original source code is available. So you\u0026rsquo;ve got Eyeball installed and you\u0026rsquo;ve run it on one of your files, and Eyeball doesn\u0026rsquo;t like it. You\u0026rsquo;re not sure why, or what to do about it. Here\u0026rsquo;s what\u0026rsquo;s going on.\nEyeball inspects your model a [...]
\ No newline at end of file
diff --git a/content/sitemap.xml b/content/sitemap.xml
index 68f9ae619..ba6cac99e 100644
--- a/content/sitemap.xml
+++ b/content/sitemap.xml
@@ -6,7 +6,7 @@
<lastmod>2020-06-28T16:59:07+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/about_jena.html</loc>
- <lastmod>2023-04-10T10:11:44+01:00</lastmod>
+ <lastmod>2023-04-26T11:32:32+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/permissions/example.html</loc>
<lastmod>2022-01-12T17:24:53+00:00</lastmod>
@@ -114,7 +114,7 @@
<lastmod>2021-11-05T08:11:46+00:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/query/javascript-functions.html</loc>
- <lastmod>2023-02-19T09:28:48+00:00</lastmod>
+ <lastmod>2023-04-26T11:23:47+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/query/lateral-join.html</loc>
<lastmod>2023-02-26T22:14:57+01:00</lastmod>
@@ -201,7 +201,7 @@
<lastmod>2023-04-09T15:11:22+02:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation.html</loc>
- <lastmod>2023-04-10T12:49:33+02:00</lastmod>
+ <lastmod>2023-04-26T11:23:47+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/download.html</loc>
<lastmod>2023-04-16T17:26:15+01:00</lastmod>
@@ -375,7 +375,7 @@
<lastmod>2020-05-01T11:11:56+12:00</lastmod>
</url><url>
<loc>https://jena.apache.org/about_jena/security-advisories.html</loc>
- <lastmod>2022-11-21T09:42:05+00:00</lastmod>
+ <lastmod>2023-04-26T11:32:32+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/txn/</loc>
<lastmod>2020-02-28T13:09:12+01:00</lastmod>