1693453 – hibernate: SQL injection when using JPQL LIKE expression against MS-SQL Server

Bug 1693453 - hibernate: SQL injection when using JPQL LIKE expression against MS-SQL Server

Summary: hibernate: SQL injection when using JPQL LIKE expression against MS-SQL Server

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1704532 1705374 1708502
Blocks:	1693454
TreeView+	depends on / blocked

Reported:	2019-03-27 21:09 UTC by Laura Pardo
Modified:	2021-12-14 18:47 UTC (History)
CC List:	114 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Hibernate, where it improperly escaped wildcards in its implementation of JPQL LIKE expressions when running against an MS-SQL Server. This flaw allows for possible SQL injection, leading to possible information disclosure.
Clone Of:
Environment:
Last Closed:	2019-12-13 05:33:10 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2019-03-27 21:09:35 UTC

A vulnerability was found in Hibernate. An SQL Injection in the implementation of JPQL LIKE expressions when running against MS-SQL Server due to an improper escape of wildcards. This could lead to an information disclosure.

Comment 2 Richard Maciel Costa 2019-04-04 04:18:48 UTC

Statement:

Red Hat OpenStack's OpenDaylight has the provision to use JPQL. However, using OpenDaylight with Microsoft MS-SQL is not a supported configuration.
Red Hat Satellite 6 does not support using MS-SQL as a database provider, hence the aforementioned product is not affected by this issue.

Comment 9 Laura Pardo 2019-05-02 16:59:40 UTC

Acknowledgments:

Name: Jens Schauder (pivotal.io), Mark Paluch (pivotal.io)

Comment 17 Joshua Padman 2019-05-15 23:00:29 UTC

This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 27 Kunjan Rathod 2019-10-15 04:33:18 UTC

It is not a vulnerability in Hibernate code for the following reason:

* It is the user code that passes the [] or [^] constructs into Hibernate. Which might be completely valid constructs in terms of SQL Server. The actual SQL injection is one of the user code, not Hibernate, as Hibernate has no way to assert what is actually intended by the user code.

* See also https://docs.microsoft.com/en-us/sql/relational-databases/security/sql-injection#like-clauses

*  Further more, the characters are treated as a wildcard by SQL Server, as documented. These characters are not prohibited by other databases. Other databases simply treat them as literal characters. It works as advertised by SQL Server.

Note You need to log in before you can comment on or make changes to this bug.

aboyko
agrimm
aileenc
akoufoud
alazarot
almorale
anstephe
asoldano
atangrin
ataylor
bbaranow
bbuckingham
bcourt
bkearney
bmaxwell
brian.stansberry
btotty
cdewolf
chazlett
csutherl
darran.lofthouse
dbecker
dimitris
dkreling
dosoudil
drieden
etirelli
extras-orphan
fgavrilo
fleite
ganandan
gbadner
ggaughan
gvarsami
gzaronik
hhudgeon
ibek
iweiss
janstey
java-sig-commits
jawilson
jclere
jcoleman
jjoyce
jochrist
jolee
jondruse
jpallich
jperkins
jschatte
jschluet
jshepherd
jstastny
jwon
kbasil
kconner
krathod
kverlaen
kwills
ldimaggi
lef
lgao
lhh
loleary
lpeer
lpetrovi
lzap
mbabacek
mburns
mkolesni
mmccune
mnovotny
msochure
msvehla
myarboro
nwallace
ohadlevy
paradhya
pdrozd
pgier
pjindal
pmackay
ppalaga
pslavice
psotirop
puntogil
rchan
rguimara
rjerrido
rnetuka
rrajasek
rstancel
rsvoboda
rsynek
rwagner
rzhang
sclewis
scohen
sdaley
security-response-team
slinaber
smaestri
smarlow
sokeeffe
spinder
sthorger
tcunning
theute
tkirby
tom.jenkinson
twalsh
vhalbert
vtunka
weli