Third-party vulnerabilities

What’s in this document?

GraphDB uses a number of third-party libraries as dependencies. To ensure a secure and reliable product, Ontotext performs regular vulnerability scans and takes appropriate actions to address any newly identified vulnerabilities.

Typically, vulnerabilities are addressed by upgrading the affected libraries to a newer version, where the vulnerability was fixed.

When it is not possible to upgrade a library, Ontotext addresses each case individually. This may include a statement that a vulnerability does not apply to GraphDB, an Ontotext patch for that vulnerability, or both.

The following is a list of all identified vulnerabilities that were mitigated with an individual approach.

Spring vulnerability CVE-2016-1000027

CVE-2016-1000027 describes a potential remote code execution issue in Spring Framework up to version 6.x, if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. The vendor’s position is that untrusted data is not an intended use case.

The vulnerability affects the usage of the HttpInvokerServiceExporter class in the spring-web module. GraphDB does not use that class and as such is inherently not vulnerable.

In order to give you peace of mind, since GraphDB 10.4.1 the spring-web jar distributed with the product is repackaged by removing the affected class. The repackaged jar file is renamed to spring-web-<version>.Patched-CVE-2016-1000027.jar.