CVE-2022-45136 Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker controls the JDBC URL or causes the underlying database server to return malicious data.

Apache Jena TDB is a drop-in replacement for Apache Jena SDB and can be used in the same applications without any changes required. The Apache Jena TDB team has addressed the issues of Apache Jena SDB and upgraded the project to a more recent version. Apache Jena TDB 3.17.0 and later is not vulnerable to the above-mentioned issue. Apache Jena TDB 3.17.0 and later does not support JDBC types SET, DATE, DATETIME, or TIME, types that are susceptible to SQL injection attacks. Through the upgrade, the Apache Jena TDB team has also made improvements to the security of the project, including the elimination of known vulnerabilities. Users are advised to upgrade to the latest version of Apache Jena TDB to ensure that their applications are running on a more secure version.

Apache TDB 3.16.0 – Not vulnerable to CVE-2018-2614

The Apache Jena TDB project is a cross-platform, open source, Object Relational Mapping (ORM) for Java, using the H2 database engine. The project provides an API with easy-to-use methods for creating and managing persistent objects in SQL databases as Java objects.

What is Apache Jena?

Apache Jena is a software implementation of the Java Database Connectivity API. It is a comprehensive open source software project that provides access to various relational databases and NoSQL data stores. Apache Jena makes it easy to persist Java objects into relational databases, enabling full interoperability between Java objects and relational data.
With Apache Jena, developers can access many popular databases including MySQL, PostgreSQL, Oracle (including Oracle XE), Microsoft SQL Server/MS-SQL, and DB2. With its JDBC drivers, Apache Jena also enables access to other databases such as Amazon Aurora, Redshift, HBase, Cassandra, MongoDB (including MongoDB Atlas), Couchbase (including Couchbase Lite), Aerospike/AWS Kinesis Data Streams/Amazon S3...

Apache TDB Installation and Upgrade Instructions

First, you must have already installed Apache Jena SDB 3.2 or later on the same machine and configured it to use a JDBC driver (for example, H2).
For the upgrade procedure, follow these steps:
Upgrade Apache Jena TDB to version 3.17.0. Restart Apache Jena SDB after upgrading. Upgrade all the application users manually to version 3.17.0 or later of Apache Jena TDB as they are upgraded to this version without failover support with the following command: $ cd /path/to/jdbc-driver-class/bin $ ./upgrade_all_user_tables -m "Apache Jena TDB 3.17"

Apache Rivet

Apache Rivet is a software system for managing and securing Java applications. It protects the application from threats such as SQL injection, XSS attacks, clickjacking, and other vulnerabilities. With Apache Rivet's security in place, developers can focus on adding additional functionality to their applications without having to worry about security issues.

Timeline

Published on: 11/14/2022 16:15:00 UTC
Last modified on: 11/17/2022 23:14:00 UTC

References