[lyo-dev] Fwd: CVE-2022-28890: Apache Jena: Processing external DTDs

[Andrii Berezovskyi <andriib@xxxxxx>]

Dear Lyo users,

Please be advised that Jena 4.5.0 was just released an hour ago and has a CVE for a security vulnerability. See the details in the forwarded email below.

Lyo 5.0.0 is already using Jena 4.5.0 in SNAPSHOT and will be released in two weeks. We are planning to make a Lyo 5.0.0.CR candidate release before the weekend.

Unfortunately, Jena 4.5.0 switched from Java 8 to Java 11 and introduced some breaking changes, so will not be able to release a bugfix release for Lyo 4.1.0 or Lyo 2.4.0. I suggest all Lyo users to plan migrating to Lyo 5.0 soon.

/Andrew

Begin forwarded message:

From: Andy Seaborne <andy@xxxxxxxxxx>

Subject: CVE-2022-28890: Apache Jena: Processing external DTDs

Date: W18 4 May 2022 at 23:26:45 CEST

To: <announce@xxxxxxxxxx>, <dev@xxxxxxxxxxxxxxx>

Reply-To: <dev@xxxxxxxxxxxxxxx>, <dev@xxxxxxxxxxxxxxx>

Severity: medium

Description:

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved.  This issue affects Apache Jena version 4.4.0 and prior versions.  Apache Jena 4.2.x and 4.3.x do not allow external entities.

Mitigation:

Users are advised to upgrade to Apache Jena 4.5.0 or later.

Credit:

Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish (GE Digital, Cyber Security Lab) for their report.