Red Hat Bugzilla – Bug 1465573
CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager
Last modified: 2018-10-19 17:42:01 EDT
A vulnerability which allows for a potential privilege escalation was found in the Hibernate Validator. If a security manager is present and HV itself is allowed to access private members reflectively as per the SM's configuration, that'll allow calling code without that permission to get hold of private state. The attack vector is to declare a constraint on a private member using XML, validate an invalid instance of that type and access the private member value via ConstraintViolation#getInvalidValue().
Acknowledgments: Name: Gunnar Morling (Red Hat)
Hi, we'd like to know how to proceed in this matter. Specifically we are about to release Hibernate Validator 6 (the reference implementation of Bean Validation 2.0) soon. Can we provide a fix for that issue in this new major version at this point in time? Our plan is to check for a specific permission which the caller must possess in order to validate constraints on private members when a security manager is enabled. We'd like to be sure though whether we can provide this solution while this bug record for Hibernate Validator 5.x still is open. Thanks!
Red Hat Mobile Platform Millicore component does run with a security manager enabled, marking it as not affected.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0.8 Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811
This issue has been addressed in the following products: RHEV 4.X RHEV-H and Agents for RHEL-7 Via RHSA-2017:3141 https://access.redhat.com/errata/RHSA-2017:3141
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458
Hi Would it be possible to indicate where the issue was fixed? In Debian we ship libhibernate-validator-java and we would like to clarify if/how we are affected by the issue. Is there any furher reference? Thank you already! Regards, Salvatore
Setting needinfo to Bharti Kundal so that she sees it.
(In reply to Salvatore Bonaccorso from comment #21) > Hi > > Would it be possible to indicate where the issue was fixed? In Debian we > ship libhibernate-validator-java and we would like to clarify if/how we are > affected by the issue. Is there any furher reference? > > Thank you already! > > Regards, > Salvatore Hi Salvatore, The issue affected all the HV 5.x branches (so 5.2, 5.3, 5.4 are all affected). 6 is not. It's fixed in the upstream 5.2 branch .The branch is here: https://github.com/hibernate/hibernate-validator/tree/5.2 Does this help? Thanks and Regards, Bharti
Hi Bharti! (In reply to Bharti Kundal from comment #24) > (In reply to Salvatore Bonaccorso from comment #21) > > Hi > > > > Would it be possible to indicate where the issue was fixed? In Debian we > > ship libhibernate-validator-java and we would like to clarify if/how we are > > affected by the issue. Is there any furher reference? > > > > Thank you already! > > > > Regards, > > Salvatore > > Hi Salvatore, > > The issue affected all the HV 5.x branches (so 5.2, 5.3, 5.4 are all > affected). 6 is not. > > It's fixed in the upstream 5.2 branch .The branch is here: > https://github.com/hibernate/hibernate-validator/tree/5.2 > > Does this help? Yes, thanks, that helps! Regards, Salvatore
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743
This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927