Bug 298051 (CVE-2007-4575-b) - CVE-2007-4575 HSQLDB DoS and information disclosure
Summary: CVE-2007-4575 HSQLDB DoS and information disclosure
Alias: CVE-2007-4575-b
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,reported=20070917,sou...
Keywords: Security
Depends On: 303551 303561 303581 303591 410891
TreeView+ depends on / blocked
Reported: 2007-09-20 13:02 UTC by Marc Schoenefeld
Modified: 2015-02-07 18:31 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-02-07 18:31:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Marc Schoenefeld 2007-09-20 13:02:25 UTC
Description of problem:

The HSQLDB service in various products is vulnerable to DoS and 
information disclosure. 

Version-Release number of selected component (if applicable):

How reproducible:

1) Start HSQLDB service.  /sbin/service hsqldb start
   (may need to change login shell for su-ing the service) 

2) Connect via JDBC (f.i. with ant sql task) to port 9001 on the 
   machine hosting the hsqldb service
     <!-- Here come the SQL statements -->

   An attacker may choose an SQL statement such as 
   a) CALL “sun.misc.MessageUtils.toStderr†(NULL) ; 
   to crash the JVM running the service or 
   b) CALL "java.lang.System.getenv" ('PATH'); to spy for 
   system properties.  
   c) CALL "java.util.regex.Pattern.compile"  
   puts CPU to 100%. 

   These calls apply to HSQLDB running with Sun JDK 1.5, vulnerable methods  
   therefore may differ with other JDK versions. 
Actual results:
   - Crashed JVM , 
   - CPU at 100%
   - exposed host/user details
Expected results:
  - Disable ALIAS command for java methods in HSQLDB and activate
    java security manager,
  - Secure Service  with password
  - Don't allow cleartext connections allowed (prefer TLS)

Comment 2 Jon Prindiville 2007-10-02 21:18:17 UTC
I've been told by the maintainer, Fred Toussi (fredt@users.sourceforge.net),
that there will be no mechanism in place to restrict connections to the server
until 1.9.0.

Despite that, I convinced hsqldb on RHEL 5 to ignore remote connection
attempts by having it bind to rather than To achieve this,
you can set the (undocumented) property "server.address" in

Additionally, I've been told that there is no way to disable the default "sa"
user. I think that the best we can do is probably to change the password during
install to something random.

Note You need to log in before you can comment on or make changes to this bug.