[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [lyo-dev] CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability
|
Time to upgrade OpenAPI to start with. I put on my action list.
______________________________
Jad El-khoury, PhD
KTH Royal Institute of Technology
School of Industrial Engineering and Management, Mechatronics Division
Brinellvägen 83, SE-100 44 Stockholm, Sweden
Phone: +46(0)8 790 6877 Mobile: +46(0)70 773 93 45
jad@xxxxxx, www.kth.se
-----Original Message-----
From: lyo-dev <lyo-dev-bounces@xxxxxxxxxxx> On Behalf Of Andrii Berezovskyi
Sent: Thursday, 16 September 2021 14:29
To: Lyo project developer discussions <lyo-dev@xxxxxxxxxxx>
Subject: Re: [lyo-dev] CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability
Yes Jad,
We need to solve the OpenAPI library version upgrade in order to be able to go to the newest version of Jersey.
However, Jena migration to 4.0 is also coupled with a migration to Java 11. There was no real reason to do this in Jena 4.0 or 4.1 but as you see below, 4.2 finally adds support for JSON-LD 1.1 and that required Java 11. I will check if there is a way to reduce the impact of this CVE by manually managing the version of the relevant Jena dependency or if it's a bug in the Jena code directly.
We made a commitment not to break Java 8 compatibility in Lyo 4.x. But this may mean that Lyo 5.0 may be released sooner rather than later if we are unable to effectively mitigate CVE risks for reasons outside of our control.
–Andrew.
On 2021-09-16, 14:18, "lyo-dev on behalf of Jad El-Khoury" <lyo-dev-bounces@xxxxxxxxxxx on behalf of jad@xxxxxx> wrote:
Andrew
I guess it is still a blocker that Lyo is still relying on an older version of Jersey? Before that, we cannot upgrade to latest versions of many other libiraries, correct?
______________________________
Jad El-khoury, PhD
KTH Royal Institute of Technology
School of Industrial Engineering and Management, Mechatronics Division
Brinellvägen 83, SE-100 44 Stockholm, Sweden
Phone: +46(0)8 790 6877 Mobile: +46(0)70 773 93 45
jad@xxxxxx, www.kth.se
-----Original Message-----
From: lyo-dev <lyo-dev-bounces@xxxxxxxxxxx> On Behalf Of Andrii Berezovskyi
Sent: Thursday, 16 September 2021 14:11
To: lyo-dev@xxxxxxxxxxx
Subject: [lyo-dev] FW: CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability
–Andrew.
On 2021-09-16, 13:55, "Andy Seaborne" <andy@xxxxxxxxxx> wrote:
Severity: high
Description:
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
Mitigation:
Users are advised to upgrade to Apache Jena 4.2.0 or later.
_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/lyo-dev
_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/lyo-dev
_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/lyo-dev
