[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-45136: JDBC Deserialisation in Apache Jena SDB
From:       Rob Vesse <rvesse () apache ! org>
Date:       2022-11-14 15:26:45
Message-ID: f504671e-250d-f954-4f7b-39439e2cd429 () apache ! org
[Download RAW message or body]

Severity: low

Description:

** UNSUPPORTED WHEN ASSIGNED ** Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC \
Deserialisation attack if the attacker is able to control the JDBC URL used or cause the \
underlying database server to return malicious data.  The mySQL JDBC driver in particular is \
known to be vulnerable to this class of attack.  As a result an application using Apache Jena \
SDB can be subject to RCE when connected to a malicious database server.

Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative \
options e.g. Apache Jena TDB 2.

Mitigation:

Apache Jena SDB has been EOL since December 2020, users should migrate to alternative options \
from the Apache Jena project e.g. Apache Jena TDB 2 or from 3rd party vendors.


Users utilising Apache Jena SDB with mySQL should ensure they explicitly set \
autoDeserialize=false on their JDBC connection strings.  It is also recommended that users \
ensure that any ability to set the JDBC connection string is limited to appropriate users.

Credit:

Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue


[prev in list] [next in list] [prev in thread] [next in thread]