CVE-2022-45136: 
Java vulnerability analysis and mitigation

Apache Jena SDB 3.17.0 and earlier was identified with a JDBC Deserialization vulnerability (CVE-2022-45136). The vulnerability was discovered and disclosed in November 2022. The issue affects all versions of Apache Jena SDB up to and including version 3.17.0, with particular concern when used with MySQL JDBC driver (NVD, OSS Security).

The vulnerability is classified as a deserialization of untrusted data (CWE-502) with a CVSS v3.1 Base Score of 9.8 (CRITICAL). The attack vector requires the attacker to either control the JDBC URL or cause the underlying database server to return malicious data. This vulnerability specifically affects scenarios where the application is connected to a malicious database server, potentially leading to Remote Code Execution (RCE) (NVD).

If successfully exploited, this vulnerability can lead to Remote Code Execution (RCE) when the application is connected to a malicious database server. The critical CVSS score of 9.8 indicates potential severe impacts on system confidentiality, integrity, and availability (NVD).

Users are strongly advised to migrate to alternative options as Apache Jena SDB has been EOL since December 2020. Recommended alternatives include Apache Jena TDB 2. For those who must continue using Apache Jena SDB with MySQL, it is recommended to explicitly set autoDeserialize=false on JDBC connection strings and limit the ability to set JDBC connection strings to appropriate users only (OSS Security).