Bug 1881353 (CVE-2020-25638) - CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used
Summary: CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernat...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25638
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1877830
TreeView+ depends on / blocked
 
Reported: 2020-09-22 08:57 UTC by Ted Jongseok Won
Modified: 2023-06-29 14:21 UTC (History)
102 users (show)

See Also:
Fixed In Version: Hibernate ORM 5.4.24.Final
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2020-11-23 17:34:00 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5174 0 None None None 2020-11-23 13:27:43 UTC
Red Hat Product Errata RHSA-2020:5175 0 None None None 2020-11-23 13:34:17 UTC
Red Hat Product Errata RHSA-2020:5254 0 None None None 2020-11-30 17:29:25 UTC
Red Hat Product Errata RHSA-2020:5302 0 None None None 2020-12-01 11:45:53 UTC
Red Hat Product Errata RHSA-2020:5340 0 None None None 2020-12-03 19:14:30 UTC
Red Hat Product Errata RHSA-2020:5341 0 None None None 2020-12-03 19:17:20 UTC
Red Hat Product Errata RHSA-2020:5342 0 None None None 2020-12-03 19:20:06 UTC
Red Hat Product Errata RHSA-2020:5344 0 None None None 2020-12-03 19:13:27 UTC
Red Hat Product Errata RHSA-2020:5361 0 None None None 2020-12-16 07:20:47 UTC
Red Hat Product Errata RHSA-2020:5388 0 None None None 2021-01-07 11:49:33 UTC
Red Hat Product Errata RHSA-2020:5533 0 None None None 2020-12-15 17:14:33 UTC
Red Hat Product Errata RHSA-2021:0292 0 None None None 2021-02-02 10:26:00 UTC
Red Hat Product Errata RHSA-2021:0600 0 None None None 2021-02-17 12:08:19 UTC
Red Hat Product Errata RHSA-2021:0603 0 None None None 2021-02-17 13:40:19 UTC
Red Hat Product Errata RHSA-2021:2561 0 None None None 2021-06-29 08:52:12 UTC
Red Hat Product Errata RHSA-2021:2562 0 None None None 2021-06-29 08:40:18 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:26:24 UTC

Description Ted Jongseok Won 2020-09-22 08:57:38 UTC
A flaw was found in Hibernate ORM of all versions before and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to retrieve/update/delete unauthorized information if only the attacker already has the table names and column names.

Comment 5 Ted Jongseok Won 2020-09-22 12:23:46 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 28 Ted Jongseok Won 2020-11-13 00:25:57 UTC
Mitigation:

Set hibernate.use_sql_comments to false, which is the default value, or use named parameters instead of literals. Please refer to details in https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#configurations-logging and https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#sql-query-parameters.

Comment 31 errata-xmlrpc 2020-11-23 13:27:40 UTC
This issue has been addressed in the following products:

  EAP 7.3.3

Via RHSA-2020:5174 https://access.redhat.com/errata/RHSA-2020:5174

Comment 32 errata-xmlrpc 2020-11-23 13:34:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:5175 https://access.redhat.com/errata/RHSA-2020:5175

Comment 33 Product Security DevOps Team 2020-11-23 17:34:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25638

Comment 35 errata-xmlrpc 2020-11-30 17:29:20 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.3 one-off

Via RHSA-2020:5254 https://access.redhat.com/errata/RHSA-2020:5254

Comment 36 errata-xmlrpc 2020-12-01 11:45:44 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 1.7.5 SP1

Via RHSA-2020:5302 https://access.redhat.com/errata/RHSA-2020:5302

Comment 37 errata-xmlrpc 2020-12-03 19:13:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:5344 https://access.redhat.com/errata/RHSA-2020:5344

Comment 38 errata-xmlrpc 2020-12-03 19:14:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:5340 https://access.redhat.com/errata/RHSA-2020:5340

Comment 39 errata-xmlrpc 2020-12-03 19:17:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:5341 https://access.redhat.com/errata/RHSA-2020:5341

Comment 40 errata-xmlrpc 2020-12-03 19:20:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:5342 https://access.redhat.com/errata/RHSA-2020:5342

Comment 43 errata-xmlrpc 2020-12-15 17:14:29 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533

Comment 44 errata-xmlrpc 2020-12-16 07:20:43 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:5361 https://access.redhat.com/errata/RHSA-2020:5361

Comment 45 errata-xmlrpc 2021-01-07 11:49:22 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:5388 https://access.redhat.com/errata/RHSA-2020:5388

Comment 46 Paramvir jindal 2021-01-08 08:57:06 UTC
Update from RHDM and RHPAM engineering :

The kie-server-ee7 zip is primarily for Weblogic/Websphere which I believe we decided to stay on hibernate 5.1.x, we cannot make an upgrade to 5.3.x due to technical reasons. So this CVE is expected to be fixed only for EAP, kie-server-ee8.

So we have added two different components for RHDM and RHPAM (hibernate-core-kie-server-ee8 and  hibernate-core-kie-server-ee7) as only kie-server-ee8.zip will be fixed and kie-server-ee7.zip won't.

Comment 51 errata-xmlrpc 2021-02-02 10:25:48 UTC
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.3.6

Via RHSA-2021:0292 https://access.redhat.com/errata/RHSA-2021:0292

Comment 52 errata-xmlrpc 2021-02-17 12:08:15 UTC
This issue has been addressed in the following products:

  RHPAM 7.10.0

Via RHSA-2021:0600 https://access.redhat.com/errata/RHSA-2021:0600

Comment 53 errata-xmlrpc 2021-02-17 13:40:15 UTC
This issue has been addressed in the following products:

  RHDM 7.10.0

Via RHSA-2021:0603 https://access.redhat.com/errata/RHSA-2021:0603

Comment 54 errata-xmlrpc 2021-05-19 08:01:14 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:2039 https://access.redhat.com/errata/RHSA-2021:2039

Comment 55 errata-xmlrpc 2021-06-29 08:39:58 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:2562 https://access.redhat.com/errata/RHSA-2021:2562

Comment 56 errata-xmlrpc 2021-06-29 08:51:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.5 on RHEL 7
  Red Hat JBoss Web Server 5.5 on RHEL 8

Via RHSA-2021:2561 https://access.redhat.com/errata/RHSA-2021:2561

Comment 57 errata-xmlrpc 2021-08-11 18:26:18 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140


Note You need to log in before you can comment on or make changes to this bug.