Bug 2136141 (CVE-2022-41853) - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack
Summary: CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-41853
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2136239 2138725 2138726 2138727 2138728 2138729 2138730 2138731 2138732 2138733 2138734 2138735
Blocks: 2136142
TreeView+ depends on / blocked
 
Reported: 2022-10-19 12:25 UTC by Patrick Del Bello
Modified: 2023-05-03 14:06 UTC (History)
72 users (show)

Fixed In Version: hsqldb 2.7.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.
Clone Of:
Environment:
Last Closed: 2022-12-08 23:03:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8559 0 None None None 2022-11-21 16:04:29 UTC
Red Hat Product Errata RHSA-2022:8560 0 None None None 2022-11-21 16:17:40 UTC
Red Hat Product Errata RHSA-2022:8652 0 None None None 2022-11-28 14:40:21 UTC
Red Hat Product Errata RHSA-2023:1512 0 None None None 2023-03-29 11:44:06 UTC
Red Hat Product Errata RHSA-2023:1513 0 None None None 2023-03-29 11:42:18 UTC
Red Hat Product Errata RHSA-2023:1514 0 None None None 2023-03-29 11:40:55 UTC
Red Hat Product Errata RHSA-2023:1516 0 None None None 2023-03-29 11:45:48 UTC
Red Hat Product Errata RHSA-2023:2100 0 None None None 2023-05-03 14:06:27 UTC

Description Patrick Del Bello 2022-10-19 12:25:24 UTC 
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7
Comment 5 Caolan McNamara 2022-10-31 20:32:20 UTC 
For LibreOffice this sounds the same as: https://www.openoffice.org/security/cves/CVE-2007-4575.html which was addressed in 2007 with https://cgit.freedesktop.org/libreoffice/core/commit/?id=0aee25d265b6e763f4fa09ade76ec152edf0bc89 and https://cgit.freedesktop.org/libreoffice/core/commit/?id=66062454bbf3f80dfdeb543c77f526b1af880d0a which makes use of hsqldb.method_class_names and sets a default of nothing.
Comment 6 Stephan Bergmann 2022-11-01 12:55:37 UTC 
(In reply to Caolan McNamara from comment #5)
> For LibreOffice this sounds the same as:
> https://www.openoffice.org/security/cves/CVE-2007-4575.html which was
> addressed in 2007 with
> https://cgit.freedesktop.org/libreoffice/core/commit/
> ?id=0aee25d265b6e763f4fa09ade76ec152edf0bc89 and
> https://cgit.freedesktop.org/libreoffice/core/commit/
> ?id=66062454bbf3f80dfdeb543c77f526b1af880d0a which makes use of
> hsqldb.method_class_names and sets a default of nothing.

I agree with that analysis.  As I just replied at <security>:  "That looks plausible to me:  Apparently, the original hsqldb commit <https://sourceforge.net/p/hsqldb/svn/2750> 'External Java method security update' and its follow-up <https://sourceforge.net/p/hsqldb/svn/2752> 'External Java method security update', both from 2007, introducing the hsqldb.method_class_names system property mechanism, were done in tandem with the cited OOo-era commits that unconditionally set that property (and which is still effective in recent LO master).  That combination of hsqldb and OOo commits apparently addressed CVE-2007-4575 back then.

"Therefore, the recent hsqldb commit <https://sourceforge.net/p/hsqldb/svn/6614> 'core code updates - Java methods used in routines must now be in hsqldb.method_class_names value string' (which appears to be the response to CVE-2022-41853, changing the hsqldb.method_class_names system property mechanism from 'opt-in' to 'always enabled') is not relevant for us, as we set that property anyway."
Comment 8 errata-xmlrpc 2022-11-21 16:04:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:8559 https://access.redhat.com/errata/RHSA-2022:8559
Comment 9 errata-xmlrpc 2022-11-21 16:17:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:8560 https://access.redhat.com/errata/RHSA-2022:8560
Comment 10 errata-xmlrpc 2022-11-28 14:40:17 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
Comment 11 Product Security DevOps Team 2022-12-08 23:02:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41853
Comment 13 errata-xmlrpc 2023-03-29 11:40:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:1514 https://access.redhat.com/errata/RHSA-2023:1514
Comment 14 errata-xmlrpc 2023-03-29 11:42:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:1513 https://access.redhat.com/errata/RHSA-2023:1513
Comment 15 errata-xmlrpc 2023-03-29 11:44:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:1512 https://access.redhat.com/errata/RHSA-2023:1512
Comment 16 errata-xmlrpc 2023-03-29 11:45:44 UTC 
This issue has been addressed in the following products:

  EAP 7.4.10 release

Via RHSA-2023:1516 https://access.redhat.com/errata/RHSA-2023:1516
Comment 17 errata-xmlrpc 2023-05-03 14:06:23 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Note You need to log in before you can comment on or make changes to this bug.