A flaw was found in Hibernate ORM versions 4.3 to 5.4 inclusive. An SQL Injection in the implementation of the JPA Criteria API when a literal is used in the SELECT or GROUP BY parts of the query. The exploit of this vulnerability can result in an information leak.
Acknowledgments: Name: Guillaume Smet (Red Hat)
Any news about this issue? It has nearly been a month. We will soon integrate a new version of Hibernate ORM in EAP 7.2.1 and it would have been nice to have this fixed. Thanks for the feedback.
Statement: OpenDaylight: In RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection. Red Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss BPM Suite 6 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Created trackers for RHDM, RHPAM, RHSSO, JDG, and EAP 7
Mitigation: There is no currently known mitigation for this flaw.
This issue has been addressed in the following products: Red Hat Single Sign On 7.3.8 Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14900
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:3464 https://access.redhat.com/errata/RHSA-2020:3464
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:3461 https://access.redhat.com/errata/RHSA-2020:3461
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:3462 https://access.redhat.com/errata/RHSA-2020:3462
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:3463 https://access.redhat.com/errata/RHSA-2020:3463
This issue has been addressed in the following products: EAP-CD 20 Tech Preview Via RHSA-2020:3585 https://access.redhat.com/errata/RHSA-2020:3585
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:3637 https://access.redhat.com/errata/RHSA-2020:3637
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:3639 https://access.redhat.com/errata/RHSA-2020:3639
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:3638 https://access.redhat.com/errata/RHSA-2020:3638
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:3642 https://access.redhat.com/errata/RHSA-2020:3642
This issue has been addressed in the following products: Red Hat build of Quarkus 1.7.5 Via RHSA-2020:4252 https://access.redhat.com/errata/RHSA-2020:4252
Update from RHDM and RHPAM engineering : The kie-server-ee7 zip is primarily for Weblogic/Websphere which I believe we decided to stay on hibernate 5.1.x, we cannot make an upgrade to 5.3.x due to technical reasons. So this CVE is expected to be fixed only for EAP, kie-server-ee8. So we have added two different components for RHDM and RHPAM (hibernate-core-kie-server-ee8 and hibernate-core-kie-server-ee7) as only kie-server-ee8.zip will be fixed and kie-server-ee7.zip won't.
This issue has been addressed in the following products: RHDM 7.9.0 Via RHSA-2020:4960 https://access.redhat.com/errata/RHSA-2020:4960
This issue has been addressed in the following products: RHPAM 7.9.0 Via RHSA-2020:4961 https://access.redhat.com/errata/RHSA-2020:4961
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568