Bug 1666499 (CVE-2019-14900) - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM
Summary: CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14900
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1666641 1666642 1666643
Blocks: 1666500
TreeView+ depends on / blocked
 
Reported: 2019-01-15 20:38 UTC by Laura Pardo
Modified: 2021-12-14 18:47 UTC (History)
114 users (show)

Fixed In Version: Hibernate ORM 5.3.18, Hibernate ORM 5.4.18, Hibernate ORM 5.5.0.Beta1, Hibernate ORM 5.3.17.Final-redhat-00001
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
Clone Of:
Environment:
Last Closed: 2020-05-12 22:31:46 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2112 0 None None None 2020-05-12 17:17:11 UTC
Red Hat Product Errata RHSA-2020:3461 0 None None None 2020-08-17 13:27:56 UTC
Red Hat Product Errata RHSA-2020:3462 0 None None None 2020-08-17 13:30:08 UTC
Red Hat Product Errata RHSA-2020:3463 0 None None None 2020-08-17 13:33:40 UTC
Red Hat Product Errata RHSA-2020:3464 0 None None None 2020-08-17 13:25:38 UTC
Red Hat Product Errata RHSA-2020:3585 0 None None None 2020-08-31 15:40:41 UTC
Red Hat Product Errata RHSA-2020:3637 0 None None None 2020-09-07 12:55:48 UTC
Red Hat Product Errata RHSA-2020:3638 0 None None None 2020-09-07 13:01:53 UTC
Red Hat Product Errata RHSA-2020:3639 0 None None None 2020-09-07 12:58:48 UTC
Red Hat Product Errata RHSA-2020:3642 0 None None None 2020-09-07 13:05:54 UTC
Red Hat Product Errata RHSA-2020:4252 0 None None None 2020-10-14 11:17:17 UTC
Red Hat Product Errata RHSA-2020:4960 0 None None None 2020-11-05 18:47:22 UTC
Red Hat Product Errata RHSA-2020:4961 0 None None None 2020-11-05 18:48:47 UTC
Red Hat Product Errata RHSA-2020:5568 0 None None None 2020-12-16 12:11:46 UTC

Description Laura Pardo 2019-01-15 20:38:17 UTC
A flaw was found in Hibernate ORM versions 4.3 to 5.4 inclusive. An SQL Injection in the implementation of the JPA Criteria API when a literal is used in the SELECT or GROUP BY parts of the query. The exploit of this vulnerability can result in an information leak.

Comment 5 Laura Pardo 2019-01-16 14:57:06 UTC
Acknowledgments:

Name: Guillaume Smet (Red Hat)

Comment 7 Guillaume Smet 2019-02-09 12:59:35 UTC
Any news about this issue? It has nearly been a month.

We will soon integrate a new version of Hibernate ORM in EAP 7.2.1 and it would have been nice to have this fixed.

Thanks for the feedback.

Comment 9 Richard Maciel Costa 2019-02-27 01:00:36 UTC
Statement:

OpenDaylight:
In RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection.

Red Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.

Comment 12 Joshua Padman 2019-08-12 02:16:53 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 16 Paramvir jindal 2019-12-27 09:49:07 UTC
Created trackers for RHDM, RHPAM, RHSSO, JDG, and EAP 7

Comment 20 Chess Hazlett 2020-05-12 15:11:19 UTC
Mitigation:

There is no currently known mitigation for this flaw.

Comment 21 errata-xmlrpc 2020-05-12 17:17:07 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign On 7.3.8

Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112

Comment 22 Product Security DevOps Team 2020-05-12 22:31:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14900

Comment 27 errata-xmlrpc 2020-08-17 13:25:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:3464 https://access.redhat.com/errata/RHSA-2020:3464

Comment 28 errata-xmlrpc 2020-08-17 13:27:50 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:3461 https://access.redhat.com/errata/RHSA-2020:3461

Comment 29 errata-xmlrpc 2020-08-17 13:30:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:3462 https://access.redhat.com/errata/RHSA-2020:3462

Comment 30 errata-xmlrpc 2020-08-17 13:33:34 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:3463 https://access.redhat.com/errata/RHSA-2020:3463

Comment 31 errata-xmlrpc 2020-08-31 15:40:36 UTC
This issue has been addressed in the following products:

  EAP-CD 20 Tech Preview

Via RHSA-2020:3585 https://access.redhat.com/errata/RHSA-2020:3585

Comment 32 errata-xmlrpc 2020-09-07 12:55:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:3637 https://access.redhat.com/errata/RHSA-2020:3637

Comment 33 errata-xmlrpc 2020-09-07 12:58:40 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:3639 https://access.redhat.com/errata/RHSA-2020:3639

Comment 34 errata-xmlrpc 2020-09-07 13:01:47 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:3638 https://access.redhat.com/errata/RHSA-2020:3638

Comment 35 errata-xmlrpc 2020-09-07 13:05:47 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:3642 https://access.redhat.com/errata/RHSA-2020:3642

Comment 36 errata-xmlrpc 2020-10-14 11:17:10 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 1.7.5

Via RHSA-2020:4252 https://access.redhat.com/errata/RHSA-2020:4252

Comment 38 Paramvir jindal 2020-11-02 11:10:37 UTC
Update from RHDM and RHPAM engineering :

The kie-server-ee7 zip is primarily for Weblogic/Websphere which I believe we decided to stay on hibernate 5.1.x, we cannot make an upgrade to 5.3.x due to technical reasons. So this CVE is expected to be fixed only for EAP, kie-server-ee8.

So we have added two different components for RHDM and RHPAM (hibernate-core-kie-server-ee8 and  hibernate-core-kie-server-ee7) as only kie-server-ee8.zip will be fixed and kie-server-ee7.zip won't.

Comment 40 errata-xmlrpc 2020-11-05 18:47:17 UTC
This issue has been addressed in the following products:

  RHDM 7.9.0

Via RHSA-2020:4960 https://access.redhat.com/errata/RHSA-2020:4960

Comment 41 errata-xmlrpc 2020-11-05 18:48:43 UTC
This issue has been addressed in the following products:

  RHPAM 7.9.0

Via RHSA-2020:4961 https://access.redhat.com/errata/RHSA-2020:4961

Comment 42 errata-xmlrpc 2020-12-16 12:11:31 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568


Note You need to log in before you can comment on or make changes to this bug.