Bug 2136141 (CVE-2022-41853)
| Summary: | CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, alazarot, anstephe, asoldano, avibelli, balejosg, bbaranow, bgeorges, bmaxwell, brian.stansberry, caolanm, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, eglynn, emingora, etirelli, fjuma, fmongiar, gjospin, gmalinko, ibek, iweiss, janstey, jjoyce, jnethert, jochrist, jpavlik, jpoth, jrokos, jross, jscholz, jwon, kverlaen, lgao, lhh, loleary, lpeer, lthon, mburns, mgarciac, mizdebsk, mkolesni, mmclaugh, mnovotny, mokumar, mosmerov, msochure, msvehla, nwallace, pantinor, pdelbell, peholase, pgallagh, pjindal, pmackay, rguimara, rrajasek, rruss, rstancel, sbergman, scohen, smaestri, spinder, spower, tcunning, theute, tom.jenkinson, tpopela, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | hsqldb 2.7.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-08 23:03:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2136239, 2138725, 2138726, 2138727, 2138728, 2138729, 2138730, 2138731, 2138732, 2138733, 2138734, 2138735 | ||
| Bug Blocks: | 2136142 | ||
For LibreOffice this sounds the same as: https://www.openoffice.org/security/cves/CVE-2007-4575.html which was addressed in 2007 with https://cgit.freedesktop.org/libreoffice/core/commit/?id=0aee25d265b6e763f4fa09ade76ec152edf0bc89 and https://cgit.freedesktop.org/libreoffice/core/commit/?id=66062454bbf3f80dfdeb543c77f526b1af880d0a which makes use of hsqldb.method_class_names and sets a default of nothing. (In reply to Caolan McNamara from comment #5) > For LibreOffice this sounds the same as: > https://www.openoffice.org/security/cves/CVE-2007-4575.html which was > addressed in 2007 with > https://cgit.freedesktop.org/libreoffice/core/commit/ > ?id=0aee25d265b6e763f4fa09ade76ec152edf0bc89 and > https://cgit.freedesktop.org/libreoffice/core/commit/ > ?id=66062454bbf3f80dfdeb543c77f526b1af880d0a which makes use of > hsqldb.method_class_names and sets a default of nothing. I agree with that analysis. As I just replied at <security>: "That looks plausible to me: Apparently, the original hsqldb commit <https://sourceforge.net/p/hsqldb/svn/2750> 'External Java method security update' and its follow-up <https://sourceforge.net/p/hsqldb/svn/2752> 'External Java method security update', both from 2007, introducing the hsqldb.method_class_names system property mechanism, were done in tandem with the cited OOo-era commits that unconditionally set that property (and which is still effective in recent LO master). That combination of hsqldb and OOo commits apparently addressed CVE-2007-4575 back then. "Therefore, the recent hsqldb commit <https://sourceforge.net/p/hsqldb/svn/6614> 'core code updates - Java methods used in routines must now be in hsqldb.method_class_names value string' (which appears to be the response to CVE-2022-41853, changing the hsqldb.method_class_names system property mechanism from 'opt-in' to 'always enabled') is not relevant for us, as we set that property anyway." This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2022:8559 https://access.redhat.com/errata/RHSA-2022:8559 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:8560 https://access.redhat.com/errata/RHSA-2022:8560 This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-41853 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:1514 https://access.redhat.com/errata/RHSA-2023:1514 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:1513 https://access.redhat.com/errata/RHSA-2023:1513 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:1512 https://access.redhat.com/errata/RHSA-2023:1512 This issue has been addressed in the following products: EAP 7.4.10 release Via RHSA-2023:1516 https://access.redhat.com/errata/RHSA-2023:1516 This issue has been addressed in the following products: RHINT Camel-Springboot 3.20.1 Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100 |
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7