Bug 1666499 (CVE-2019-14900)

Summary: CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, brian.stansberry, bspyrkos, btotty, cbillett, cdewolf, chazlett, clement.escoffier, csutherl, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, etirelli, extras-orphan, ggaughan, gmalinko, gsmet, gvarsami, gzaronik, hhudgeon, ibek, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jclere, jcoleman, jjoyce, jochrist, jolee, jpallich, jperkins, jschatte, jschluet, jstastny, jwon, kbasil, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, lhh, loleary, lpeer, lthon, lzap, mbabacek, mburns, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, myarboro, nmoumoul, nwallace, paradhya, pdrozd, pgallagh, pjindal, pmackay, psotirop, puntogil, rchan, rfreire, rguimara, rjerrido, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sbiarozk, sclewis, scohen, sdaley, sdouglas, security-response-team, slinaber, smaestri, sokeeffe, spinder, sthorger, tcunning, theute, tkirby, tlestach, tomckay, tom.jenkinson, vhalbert, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Hibernate ORM 5.3.18, Hibernate ORM 5.4.18, Hibernate ORM 5.5.0.Beta1, Hibernate ORM 5.3.17.Final-redhat-00001 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-12 22:31:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1666641, 1666642, 1666643    
Bug Blocks: 1666500    

Description Laura Pardo 2019-01-15 20:38:17 UTC 
A flaw was found in Hibernate ORM versions 4.3 to 5.4 inclusive. An SQL Injection in the implementation of the JPA Criteria API when a literal is used in the SELECT or GROUP BY parts of the query. The exploit of this vulnerability can result in an information leak.
Comment 5 Laura Pardo 2019-01-16 14:57:06 UTC 
Acknowledgments:

Name: Guillaume Smet (Red Hat)
Comment 7 Guillaume Smet 2019-02-09 12:59:35 UTC 
Any news about this issue? It has nearly been a month.

We will soon integrate a new version of Hibernate ORM in EAP 7.2.1 and it would have been nice to have this fixed.

Thanks for the feedback.
Comment 9 Richard Maciel Costa 2019-02-27 01:00:36 UTC 
Statement:

OpenDaylight:
In RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection.

Red Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.
Comment 12 Joshua Padman 2019-08-12 02:16:53 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 16 Paramvir jindal 2019-12-27 09:49:07 UTC 
Created trackers for RHDM, RHPAM, RHSSO, JDG, and EAP 7
Comment 20 Chess Hazlett 2020-05-12 15:11:19 UTC 
Mitigation:

There is no currently known mitigation for this flaw.
Comment 21 errata-xmlrpc 2020-05-12 17:17:07 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign On 7.3.8

Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112
Comment 22 Product Security DevOps Team 2020-05-12 22:31:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14900
Comment 27 errata-xmlrpc 2020-08-17 13:25:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:3464 https://access.redhat.com/errata/RHSA-2020:3464
Comment 28 errata-xmlrpc 2020-08-17 13:27:50 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:3461 https://access.redhat.com/errata/RHSA-2020:3461
Comment 29 errata-xmlrpc 2020-08-17 13:30:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:3462 https://access.redhat.com/errata/RHSA-2020:3462
Comment 30 errata-xmlrpc 2020-08-17 13:33:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:3463 https://access.redhat.com/errata/RHSA-2020:3463
Comment 31 errata-xmlrpc 2020-08-31 15:40:36 UTC 
This issue has been addressed in the following products:

  EAP-CD 20 Tech Preview

Via RHSA-2020:3585 https://access.redhat.com/errata/RHSA-2020:3585
Comment 32 errata-xmlrpc 2020-09-07 12:55:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:3637 https://access.redhat.com/errata/RHSA-2020:3637
Comment 33 errata-xmlrpc 2020-09-07 12:58:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:3639 https://access.redhat.com/errata/RHSA-2020:3639
Comment 34 errata-xmlrpc 2020-09-07 13:01:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:3638 https://access.redhat.com/errata/RHSA-2020:3638
Comment 35 errata-xmlrpc 2020-09-07 13:05:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:3642 https://access.redhat.com/errata/RHSA-2020:3642
Comment 36 errata-xmlrpc 2020-10-14 11:17:10 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 1.7.5

Via RHSA-2020:4252 https://access.redhat.com/errata/RHSA-2020:4252
Comment 38 Paramvir jindal 2020-11-02 11:10:37 UTC 
Update from RHDM and RHPAM engineering :

The kie-server-ee7 zip is primarily for Weblogic/Websphere which I believe we decided to stay on hibernate 5.1.x, we cannot make an upgrade to 5.3.x due to technical reasons. So this CVE is expected to be fixed only for EAP, kie-server-ee8.

So we have added two different components for RHDM and RHPAM (hibernate-core-kie-server-ee8 and  hibernate-core-kie-server-ee7) as only kie-server-ee8.zip will be fixed and kie-server-ee7.zip won't.
Comment 40 errata-xmlrpc 2020-11-05 18:47:17 UTC 
This issue has been addressed in the following products:

  RHDM 7.9.0

Via RHSA-2020:4960 https://access.redhat.com/errata/RHSA-2020:4960
Comment 41 errata-xmlrpc 2020-11-05 18:48:43 UTC 
This issue has been addressed in the following products:

  RHPAM 7.9.0

Via RHSA-2020:4961 https://access.redhat.com/errata/RHSA-2020:4961
Comment 42 errata-xmlrpc 2020-12-16 12:11:31 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568