Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[lyo-dev] Fwd: CVE-2023-32200
FYI and an extra reason to switch to OpenJDK 17.
 
–Andrew.

Begin forwarded message:

From: Andy Seaborne <andy@xxxxxxxxxx>
Subject: Re: CVE-2023-32200
Date: 20 July 2023 at 19:13:35 CEST
To: <users@xxxxxxxxxxxxxxx>
Reply-To: <users@xxxxxxxxxxxxxxx>



On 20/07/2023 17:18, Brandon Sara wrote:
I just came across CVE-2023-32200 and was wondering, is it different than CVE-2023-22665 and, if so, how is it different?


Jena 4.8.0 addresses CVE-2023-22665 by requiring the Java system property "jena:scripting" to enable scripting.

Jena 4.9.0 addresses CVE-2023-32200 which happens if scripting is enabled (4.8.0). The change goes further than only addressing the security issue by requiring script functions to be in an "allowed" list; that is, there is an API contract for callable scripts. Other functions in the script file are not callable which should help development.

Running Java17 means there is no scripting engine unless the deployment
has added one. Java11 has a scriting engine in the JDK.

   Andy

Back to the top