Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[lyo-dev] FW: [ANN] Apache Jena 4.3.1

Hello,

 

FYI, this is the Jena release with a log4j fix. Also, here is an earlier message from Andy regarding the vulnerability scope:

 

Jena ships log4j2 in Fuseki and the command line tools.

 

The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x.

 

Remote execution is only possible with older versions of Java.

 

Java versions Java 8u121 and Java 11.0.1, and later, set

"com.sun.jndi.rmi.object.trustURLCodebase"

and

"com.sun.jndi.cosnaming.object.trustURLCodebase"

 

to "false" protecting against remote code execution by default.

 

 

The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works with

all affected Fuseki versions:

 

JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server ....

 

 

Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE

https://nvd.nist.gov/vuln/detail/CVE-2021-39239

 

***

 

To my best knowledge, Lyo 4.x should not be vulnerable both because we only rely on Jena libs and not Fuseki or CLI tools and because we exclude log4j already from our builds: https://github.com/eclipse/lyo/blob/master/pom.xml#L259

 

Lyo is ready to switch to newest Jena model once https://github.com/eclipse/lyo/pull/222 is merged and to finally address the CVE-2021-39239.

 

A friendly reminder to fill out the Lyo dev survey: https://docs.google.com/forms/d/e/1FAIpQLScpuLEoIXpCGnVsLVVwaJq5-5BzTIlZ4uiS77uNDjOFJ3i4Mg/viewform?usp=sf_link The responses we got till now indicate there are no Lyo users who cannot upgrade to JDK 11.

 

/Andrew

 

On 2021-12-13, 18:31, "Andy Seaborne" <andy@xxxxxxxxxx> wrote:

 

 

    The Apache Jena development community is pleased to

    announce the release of Apache Jena 4.3.1.

 

    This release updates the version of log4j2 used in Fuseki.

 

    Fuseki users should upgrade as soon as possible.

 

    Uses of Jena libraries should to check their application logging

    dependences and update as necessary.

 

    == Changes

 

    JENA-2211: Upgrade to Log4j2 2.15.0

 

    JENA-2209, JENA-2210: xloader improvements

 

    JENA-2207: Fix for SERVICE

 

    == Obtaining Apache Jena 4.3.1

 

    * Via central.maven.org

 

    The main jars and their dependencies can used with:

 

           <dependency>

             <groupId>org.apache.jena</groupId>

             <artifactId>apache-jena-libs</artifactId>

             <type>pom</type>

             <version>4.3.1</version>

           </dependency>

 

    Full details of all maven artifacts are described at:

 

         http://jena.apache.org/download/maven.html

 

    * As binary downloads

 

    Apache Jena libraries are available as a binary distribution of

    libraries. For details of a global mirror copy of Jena binaries please see:

 

    http://jena.apache.org/download/

 

    * Source code for the release

 

    The signed source code of this release is available at:

 

         http://www.apache.org/dist/jena/source/

 

    and the signed master source for all Apache Jena releases is available

    at: http://archive.apache.org/dist/jena/

 

    == Contributing

 

    If you would like to help out, a good place to look is the list of

    unresolved JIRA at:

 

         http://s.apache.org/jena-jira-current

 

    or review pull requests at

 

         https://github.com/apache/jena/pulls

 

    or drop into the dev@ list.

 

    We use github pull requests and other ways for accepting code:

          https://github.com/apache/jena/blob/master/CONTRIBUTING.md

Back to the top