And just to be clear, this code would execute on the Fuseki server, correct?
On Jun 2, 2023, at 3:20 AM, Andy Seaborne <[email protected]> wrote: "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the organization. The advice from the project is to upgrade or at least run in a Java17+ environment, otherwise anything may be possible. Andy On 01/06/2023 17:57, Brandon Sara wrote: > Ok. When you say “arbitrary function”, could one craft and run code that > makes HTTP calls (via XMLHttpRequest or the fetch API, for example)? We don’t > have sensitive data in our store, but I want to make sure that no one could > make queries to other servers via queries to Fuseki. > > On Jun 1, 2023, at 7:16 AM, Andy Seaborne <[email protected]> wrote: > > "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of the > organization. > > > On 01/06/2023 09:42, Rob @ DNR wrote: >> Yes, prior to 4.8.0 users can craft a query that calls arbitrary JavaScript >> functions even if you have not explicitly configured custom scripts. >> >> As discussed on our Security Advisories page [1] the projects advice is >> always to use the latest version available. >> >> Or as already noted in this thread run using Java 17 as that does not have a >> script engine embedded by default. Java code is generally forward compatible >> safe so even though the project releases builds made to target Java 11 it’s >> fine to run that on a newer JVM. > > A Jena release is compiled with Java17 at the moment, producing Java11 > bytecode. This is done to work around Javadoc issues; some improvements > haven't been backported to the Java11 codeline. > > We have Jenkins jobs for Java11, Java17 and Java-latest. > > There are also github actions in the project codebase. > > The project policy has always been "2 versions of Java" which we have > interpreted nowadays as two LTS. Java21 is Sept this year and, barring a > change of plan by OpenJDK, will be LTS. > > Andy > >> >> Is there any particular reason you haven’t yet upgraded to 4.8.0? >> >> Rob >> >> [1]: >> https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice<https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice><https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice<https://jena.apache.org/about_jena/security-advisories.html#standard-mitigation-advice>> >> >> From: Brandon Sara <[email protected]> >> Date: Thursday, 1 June 2023 at 02:05 >> To: [email protected] <[email protected]> >> Subject: Re: CVE-2023-22665 Risk using Fuseki Pre 4.8.0 >> I’m running with a version built and run with java 11. Given this, is there >> still a risk/concern if I don’t have custom scripts configured at all on the >> Fuseki server? >> >> On May 31, 2023, at 12:06 PM, Andy Seaborne <[email protected]> wrote: >> >> "EXTERNAL EMAIL" – Always use caution when reviewing mail from outside of >> the organization. >> >> >> >> On 31/05/2023 17:17, Brandon Sara wrote: >>> >>> With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does >>> not have custom scripts configured in any configurations? Is there only a >>> risk if custom scripts are set up to be used by Fuseki or is there a risk >>> regardless of configuration? >>> >>> Thanks. >> >> Java17 does not have javascript engine, unless the deployment adds one. >> >> So running on a Java17 means that scripts can't execute. >> >> The issue is Java11, where there is a script engine in the JVM runtime. >> >> Andy >> >> https://openjdk.org/jeps/372<https://openjdk.org/jeps/372><https://openjdk.org/jeps/372<https://openjdk.org/jeps/372>><https://openjdk.org/jeps/372<https://openjdk.org/jeps/372><https://openjdk.org/jeps/372<https://openjdk.org/jeps/372>>><https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e<https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e><https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e<https://openjdk.org/jeps/372%3chttps:/openjdk.org/jeps/372%3e>>> >> Nashorn removed at Java15. >> >> >> No PHI in Email: PointClickCare and Collective Medical, A PointClickCare >> Company, policies prohibit sending protected health information (PHI) by >> email, which may violate regulatory requirements. If sending PHI is >> necessary, please contact the sender for secure delivery instructions. >> >> Confidentiality Notice: This email message, including any attachments, is >> for the sole use of the intended recipient(s) and may contain confidential >> and privileged information. Any unauthorized review, use, disclosure or >> distribution is prohibited. If you are not the intended recipient, please >> contact the sender by reply email and destroy all copies of the original >> message. >> >
