Roland,
There is no requirement to use RDF/XML.
To avoid this XML-related vulnerability, don't accept arbitrary,
unctrolled RDF/XML but allow syntaxes such as Turtle or N-Triples, which
don't have this remote inclusion feature.
They are faster to process as well.
Andy
On 19/10/17 16:31, Rob Vesse wrote:
Potentially yes, see https://issues.apache.org/jira/browse/JENA-1364
There is a known vulnerability in the Apache Xerces Library we use,
unfortunately there has not been an official Xerces release for quite sometime
(Feb 2013 was the last). There had been some apparent discussion at finally
making a new release around the time that the issue was reported to us but it
has unfortunately not materialised.
The referenced JIRA issue describes end user workarounds which involve
substituting an alternative build of that library
For general guidelines on how to Report security issues to any Apache project
please see https://www.apache.org/security/
Rob
On 19/10/2017 16:13, "Roland Cornelissen" <[email protected]> wrote:
Hi,
Could it be that the Jena library causes an XXE vulnerabilty? [1]
I am looking into this for a web application we are using and I'm not
sure on how to report/question such issues.
Thanks,
Roland
[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
