Bug 1465573 (CVE-2017-7536)
| Summary: | CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, aileenc, alazarot, anstephe, avibelli, bcourt, bgeorges, bkearney, bmaxwell, bmcclain, carnil, cbillett, cdewolf, chazlett, csutherl, darran.lofthouse, dblechte, deesharm, dimitris, dosoudil, drusso, ebernard, eedri, etirelli, fgavrilo, gmorling, gvarsami, ibek, ikanello, java-sig-commits, jawilson, jbalunas, jcoleman, jmadigan, jmatthew, jmrazek, jolee, jondruse, jpadman, jpallich, jshepherd, kconner, kpiwko, krathod, kverlaen, ldimaggi, lef, lgao, lgriffin, loleary, lpetrovi, lthon, mbaluch, mgoldboi, michal.skrivanek, mmccune, mrike, mstead, mszynkie, mwinkler, myarboro, ngough, nwallace, ohadlevy, paradhya, pbraun, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, pwright, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sdaley, security-response-team, sherold, spinder, tcunning, theute, tiwillia, tkirby, tlestach, trogers, tsanders, twalsh, vhalbert, vtunka, yjog |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | hibernate-validator 4.3.4.Final, hibernate-validator 5.3.5.Final | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:15:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1470920, 1472059, 1576141, 1576142 | ||
| Bug Blocks: | 1465576, 1493931, 1520314 | ||
|
Description
Andrej Nemec
2017-06-27 16:26:07 UTC
Acknowledgments: Name: Gunnar Morling (Red Hat) Hi, we'd like to know how to proceed in this matter. Specifically we are about to release Hibernate Validator 6 (the reference implementation of Bean Validation 2.0) soon. Can we provide a fix for that issue in this new major version at this point in time? Our plan is to check for a specific permission which the caller must possess in order to validate constraints on private members when a security manager is enabled. We'd like to be sure though whether we can provide this solution while this bug record for Hibernate Validator 5.x still is open. Thanks! Red Hat Mobile Platform Millicore component does run with a security manager enabled, marking it as not affected. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0.8 Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811 This issue has been addressed in the following products: RHEV 4.X RHEV-H and Agents for RHEL-7 Via RHSA-2017:3141 https://access.redhat.com/errata/RHSA-2017:3141 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458 Hi Would it be possible to indicate where the issue was fixed? In Debian we ship libhibernate-validator-java and we would like to clarify if/how we are affected by the issue. Is there any furher reference? Thank you already! Regards, Salvatore Setting needinfo to Bharti Kundal so that she sees it. (In reply to Salvatore Bonaccorso from comment #21) > Hi > > Would it be possible to indicate where the issue was fixed? In Debian we > ship libhibernate-validator-java and we would like to clarify if/how we are > affected by the issue. Is there any furher reference? > > Thank you already! > > Regards, > Salvatore Hi Salvatore, The issue affected all the HV 5.x branches (so 5.2, 5.3, 5.4 are all affected). 6 is not. It's fixed in the upstream 5.2 branch .The branch is here: https://github.com/hibernate/hibernate-validator/tree/5.2 Does this help? Thanks and Regards, Bharti Hi Bharti! (In reply to Bharti Kundal from comment #24) > (In reply to Salvatore Bonaccorso from comment #21) > > Hi > > > > Would it be possible to indicate where the issue was fixed? In Debian we > > ship libhibernate-validator-java and we would like to clarify if/how we are > > affected by the issue. Is there any furher reference? > > > > Thank you already! > > > > Regards, > > Salvatore > > Hi Salvatore, > > The issue affected all the HV 5.x branches (so 5.2, 5.3, 5.4 are all > affected). 6 is not. > > It's fixed in the upstream 5.2 branch .The branch is here: > https://github.com/hibernate/hibernate-validator/tree/5.2 > > Does this help? Yes, thanks, that helps! Regards, Salvatore This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743 This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927 This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:3817 https://access.redhat.com/errata/RHSA-2018:3817 This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. |