High Prisma CVEs in owlready2 bundled JARs (Jena 2.10.0) - guidance needed

Hi,

Two high Prisma vulnerabilities (CVEs) are being reported for the owlready2 package due to the following bundled JARs:

CVE-2021-39239 - /lib/python3.11/dist-packages/owlready2/pellet/jena-arq-2.10.0.jar
CVE-2021-39239 - /lib/python3.11/dist-packages/owlready2/pellet/jena-core-2.10.0.jar

We attempted to upgrade these JARs to the fixed version (4.2.0), but doing so breaks owlready2 functionality. Please advise on a recommended fix or supported alternative, and let us know if there is a planned timeline for addressing these vulnerabilities in owlready2.

Regards,
Ejas Ali

Hi,

These old JARs are used to support Pellet.

If you don't need Pellet, you can just remove the JARs.

If you do need Pellet, it's more complicated... we need to manage to recompile Pellet with updated/fixed JARs, which is not an easy task : updating from version 2.10 to 4.2 is a big leap :-(

Another solution would be to delete the support for XML entity in the JARs (I think Owlready don't use them), which would prevent the vulnerability ?

Jiba

After looking at Owlready2 codes, it appears that XML is not used to communicate with Pellet (NTriple files are used instead). Consequently, the vulnerability cannot occur and we don't need XML loading functionality.

I managed to disable XML loading in Jena by modifying/commenting org/apache/jena/riot/lang/LangRDFXML.java, which fix the vulnerability.

I also verified that the vulnerability does not occur within Owlready2 in Python.

Jiba

Hi, thank you for your reply. Disabling XML loading may not prevent the JAR from being flagged in a Prisma scan.

Has this issue been fixed in the latest version of Owlready2?

Is there a planned timeline for addressing these vulnerabilities in Owlready2?

Thank you

Okay, so what could we do for preventing the JAR from being flagged in a Prisma scan? Rename the JAR ? Remove some dangerous and unused file from it ?

Jiba