Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [lyo-dev] CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability

Yes Jad,

We need to solve the OpenAPI library version upgrade in order to be able to go to the newest version of Jersey.

However, Jena migration to 4.0 is also coupled with a migration to Java 11. There was no real reason to do this in Jena 4.0 or 4.1 but as you see below, 4.2 finally adds support for JSON-LD 1.1 and that required Java 11. I will check if there is a way to reduce the impact of this CVE by manually managing the version of the relevant Jena dependency or if it's a bug in the Jena code directly.

We made a commitment not to break Java 8 compatibility in Lyo 4.x. But this may mean that Lyo 5.0 may be released sooner rather than later if we are unable to effectively mitigate CVE risks for reasons outside of our control.

–Andrew.

On 2021-09-16, 14:18, "lyo-dev on behalf of Jad El-Khoury" <lyo-dev-bounces@xxxxxxxxxxx on behalf of jad@xxxxxx> wrote:

    Andrew

    I guess it is still a blocker that Lyo is still relying on an older version of Jersey? Before that, we cannot upgrade to latest versions of many other libiraries, correct?

    ______________________________
    Jad El-khoury, PhD
    KTH Royal Institute of Technology
    School of Industrial Engineering and Management, Mechatronics Division
    Brinellvägen 83, SE-100 44 Stockholm, Sweden
    Phone: +46(0)8 790 6877 Mobile: +46(0)70 773 93 45
    jad@xxxxxx, www.kth.se 

    -----Original Message-----
    From: lyo-dev <lyo-dev-bounces@xxxxxxxxxxx> On Behalf Of Andrii Berezovskyi
    Sent: Thursday, 16 September 2021 14:11
    To: lyo-dev@xxxxxxxxxxx
    Subject: [lyo-dev] FW: CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability



    –Andrew.

    On 2021-09-16, 13:55, "Andy Seaborne" <andy@xxxxxxxxxx> wrote:

        Severity: high

        Description:

        A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

        Mitigation:

        Users are advised to upgrade to Apache Jena 4.2.0 or later.


    _______________________________________________
    lyo-dev mailing list
    lyo-dev@xxxxxxxxxxx
    To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/lyo-dev
    _______________________________________________
    lyo-dev mailing list
    lyo-dev@xxxxxxxxxxx
    To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/lyo-dev


Back to the top