The Jena project has issued a number of security advisories during the lifetime of the project. On this page you’ll find details of our past CVEs and relevant Dependency CVEs.
Jena CVEs
The following CVEs specifically relate to the Jena codebase itself and have been addressed by the project. Per our policy above we advise users to always utilise the latest Jena release available.
Please refer to the individual CVE links for further details and mitigations.
CVE-2023-32200 - Exposure of execution in script engine expressions
CVE-2023-32200 affects Jena 3.7.0 through Jena 4.8.0 and relates to the Javascript SPARQL Functions feature of our ARQ SPARQL engine.
There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier, when invoking custom scripts. It allows a remote user to execute javascript via a SPARQL query.
From Jena 4.9.0, script functions MUST be added to an explicit “allow” list for them to be called from the SPARQL query engine. This is in addition to the script enabling controls of Jena 4.8.0 which MUST also be applied.
Users should upgrade to latest Jena 4.x release available.
CVE-2023-22665 - Exposure of arbitrary execution in script engine expressions
CVE-2023-22665 affects Jena 3.7.0 through 4.7.0 and relates to the Javascript SPARQL Functions feature of our ARQ SPARQL engine.
From Jena 4.8.0 onwards this feature MUST be explicitly enabled by end users, and on newer JVMs (Java 17 onwards) a JavaScript script engine MUST be explicitly added to the environment.
However, when enabled this feature does expose the majority of the underlying scripting engine directly to SPARQL queries so may provide a vector for arbitrary code execution. Therefore, it is recommended that this feature remain disabled for any publicly accessible deployment that utilises the ARQ query engine.
Users should upgrade to latest Jena 4.x release available.
CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB
CVE-2022-45136 affects all
versions of Jena SDB up to and including the
final 3.17.0 release.
Apache Jena SDB has been EOL since December 2020 and we recommend any remaining users migrate to Jena TDB 2 or other 3rd party vendor alternatives.
Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue
CVE-2022-28890 - Processing External DTD
CVE-2022-28890 affects the RDF/XML parser in Jena 4.4.0 only.
Users should upgrade to latest Jena 4.x release available.
Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish (GE Digital, Cyber Security Lab) for their report.
CVE-2021-39239 - XML External Entity (XXE) Vulnerabilit
CVE-2021-39239 affects XML
parsing up to and including the Jena 4.1.0 release.
Users should upgrade to latest Jena 4.x release available.
CVE-2021-33192 - Display information UI XSS in Apache Jena Fusek
CVE-2021-33192 affected
Fuseki versions 2.0.0 through 4.0.0.
Users should upgrade to latest Jena 4.x release available.
Dependencies
The following advisories are CVEs in Jena’s dependencies that may affect users of Jena, as with Jena specific CVEs our standard Security Issue Policy applies and any necessary dependency updates, dependency API and/or configuration changes have been adopted and released as soon as appropriate.
log4j2
CVE-2021-45105, CVE-2021-45105 and CVE-2021-44832, collectively known as log4shell were several vulnerabilities identified in the Apache Log4j project that Jena uses as the concrete logging implementation for Fuseki and our command line tools.
Jena versions prior to 4.4.0 included vulnerable versions of Log4j.
Users should upgrade to latest Jena 4.x release available.