Bug 1881353 (CVE-2020-25638)
| Summary: | CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Ted Jongseok Won <jwon> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bibryam, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, csutherl, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, eleandro, eric.wittmann, etirelli, ganandan, ggaughan, gmalinko, gsmet, gvarsami, gzaronik, hbraun, ibek, ikanello, iweiss, janstey, jawilson, jbalunas, jclere, jcoleman, jjoyce, jochrist, jolee, jpallich, jperkins, jross, jschatte, jschluet, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, lhh, loleary, lpeer, lthon, mbabacek, mburns, mkolesni, mnovotny, msochure, msvehla, mszynkie, myarboro, nwallace, pantinor, pdrozd, pgallagh, pjindal, pmackay, probinso, psotirop, rguimara, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sbiarozk, sclewis, scohen, sdaley, sdouglas, security-response-team, slinaber, smaestri, spinder, sthorger, tcunning, theute, tkirby, tom.jenkinson, vhalbert, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://issues.redhat.com/browse/ENTESB-14786 https://issues.redhat.com/browse/ENTESB-14787 https://issues.redhat.com/browse/ENTSBT-815 https://issues.redhat.com/browse/ENTSWM-914 https://issues.redhat.com/browse/IPT-181 https://issues.redhat.com/browse/JBDS-4881 https://issues.redhat.com/browse/JBEAP-20227 https://issues.redhat.com/browse/JBEAP-20228 https://issues.redhat.com/browse/JBEAP-20229 https://issues.redhat.com/browse/JBEAP-20230 https://issues.redhat.com/browse/JWS-1846 https://issues.redhat.com/browse/KEYCLOAK-15646 https://issues.redhat.com/browse/QUARKUS-427 https://issues.redhat.com/browse/RHDM-1452 https://issues.redhat.com/browse/RHPAM-3199 https://issues.redhat.com/browse/RHDM-1559 https://issues.redhat.com/browse/RHPAM-3381 https://issues.redhat.com/browse/ENTSBT-914 |
||
| Whiteboard: | |||
| Fixed In Version: | Hibernate ORM 5.4.24.Final | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-23 17:34:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1877830 | ||
|
Description
Ted Jongseok Won
2020-09-22 08:57:38 UTC
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat JBoss BPMS 6 * Red Hat JBoss BRMS 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Mitigation: Set hibernate.use_sql_comments to false, which is the default value, or use named parameters instead of literals. Please refer to details in https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#configurations-logging and https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#sql-query-parameters. This issue has been addressed in the following products: EAP 7.3.3 Via RHSA-2020:5174 https://access.redhat.com/errata/RHSA-2020:5174 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:5175 https://access.redhat.com/errata/RHSA-2020:5175 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25638 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.3 one-off Via RHSA-2020:5254 https://access.redhat.com/errata/RHSA-2020:5254 This issue has been addressed in the following products: Red Hat build of Quarkus 1.7.5 SP1 Via RHSA-2020:5302 https://access.redhat.com/errata/RHSA-2020:5302 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:5344 https://access.redhat.com/errata/RHSA-2020:5344 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:5340 https://access.redhat.com/errata/RHSA-2020:5340 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:5341 https://access.redhat.com/errata/RHSA-2020:5341 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:5342 https://access.redhat.com/errata/RHSA-2020:5342 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:5361 https://access.redhat.com/errata/RHSA-2020:5361 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:5388 https://access.redhat.com/errata/RHSA-2020:5388 Update from RHDM and RHPAM engineering : The kie-server-ee7 zip is primarily for Weblogic/Websphere which I believe we decided to stay on hibernate 5.1.x, we cannot make an upgrade to 5.3.x due to technical reasons. So this CVE is expected to be fixed only for EAP, kie-server-ee8. So we have added two different components for RHDM and RHPAM (hibernate-core-kie-server-ee8 and hibernate-core-kie-server-ee7) as only kie-server-ee8.zip will be fixed and kie-server-ee7.zip won't. This issue has been addressed in the following products: Red Hat support for Spring Boot 2.3.6 Via RHSA-2021:0292 https://access.redhat.com/errata/RHSA-2021:0292 This issue has been addressed in the following products: RHPAM 7.10.0 Via RHSA-2021:0600 https://access.redhat.com/errata/RHSA-2021:0600 This issue has been addressed in the following products: RHDM 7.10.0 Via RHSA-2021:0603 https://access.redhat.com/errata/RHSA-2021:0603 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:2039 https://access.redhat.com/errata/RHSA-2021:2039 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:2562 https://access.redhat.com/errata/RHSA-2021:2562 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.5 on RHEL 7 Red Hat JBoss Web Server 5.5 on RHEL 8 Via RHSA-2021:2561 https://access.redhat.com/errata/RHSA-2021:2561 This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 |