Warning: This document is for an old version of RDFox. The latest version is 7.4.

24. Security Advisories

This section documents security advisories for RDFox.

24.1. RD-2389 - 6.0 (Medium)

RDFox’s access control system allows administrators to specify which named graphs each agent is allowed to read and write. In the versions affected by this bug, authorization checks were not performed when RDFox’s syntax extensions for accessing tuple tables (see Section 9.4) were used to query the Quads tuple table where RDFox stores all named graph facts. This would allow an attacker to read triples in any named graph even while authenticated as an agent with no named graph access privileges.

Note that this bug affected only reading from named graphs: authorization checks for writing to named graphs were performed correctly. Note also that, in order to exploit this vulnerability, an agent must hold a read privilege over the Quads tuple table.

24.1.1. Mitigations

As an interim measure to secure sensitive data, administrators can revoke read privileges over the Quads tuple table from any user who should not have access to all named graphs, until they can upgrade to a fixed version.

24.1.2. Affected Versions

This issue affects all versions from 6.1 to 7.2d inclusive, 7.3 to 7.3d inclusive, and 7.4.

24.1.3. Resolution

This issue is fixed in patch releases v7.2e, v7.3e, and v7.4a. Users of the affected versions are advised to upgrade to a fixed version as soon as possible to prevent exploitation of this issue. Upgrading to a patched version provides protection from this issue immediately without need for further action.

24.1.4. CVSS Score

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. – 6.0 (Medium)

24.2. RD-2210 - 2.3 (Low)

A logic error in the SKOLEM built-in tuple table could allow a remotely authenticated attacker to capture the content of memory allocated for construction of a SKOLEM blank node identifier into the identifier itself. This corrupts the system and, if the identifiers are formatted in query responses, may lead to unauthorized disclosure of information depending on what data was previously stored in the allocated memory.

To exploit this issue, one or more IRIs whose length excluding the final segment is a multiple of 3 must be stored in the data store. An attacker with write privileges could establish this condition and could also add the incorrect identifiers back into the dictionary to be harvested at a later date using rules or SPARQL updates. Once the necessary IRIs or any faulty SKOLEM identifiers are present in the dictionary, an attacker with read privileges could read them by querying.

24.2.1. Mitigations

There are no advised mitigations for this issue. Please see the resolution section below.

24.2.2. Affected Versions

This issue affects versions v7.3, v7.3a, and v7.3c.

24.2.3. Resolution

This issue is fixed in v7.3d and later versions. Users of one of the affected versions are advised to upgrade to a fixed version as soon as possible to prevent new exploitation of this issue. After upgrading, they should also follow the v7.3d upgrade instructions to ensure that their system is free of any incorrect SKOLEM identifiers created by this issue.

24.2.4. CVSS Score

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N. – 2.3 (Low)