A flaw was found in Hibernate ORM of all versions before and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to retrieve/update/delete unauthorized information if only the attacker already has the table names and column names.
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat JBoss BPMS 6 * Red Hat JBoss BRMS 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Mitigation: Set hibernate.use_sql_comments to false, which is the default value, or use named parameters instead of literals. Please refer to details in https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#configurations-logging and https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#sql-query-parameters.
This issue has been addressed in the following products: EAP 7.3.3 Via RHSA-2020:5174 https://access.redhat.com/errata/RHSA-2020:5174
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:5175 https://access.redhat.com/errata/RHSA-2020:5175
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25638
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.3 one-off Via RHSA-2020:5254 https://access.redhat.com/errata/RHSA-2020:5254
This issue has been addressed in the following products: Red Hat build of Quarkus 1.7.5 SP1 Via RHSA-2020:5302 https://access.redhat.com/errata/RHSA-2020:5302
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:5344 https://access.redhat.com/errata/RHSA-2020:5344
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:5340 https://access.redhat.com/errata/RHSA-2020:5340
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:5341 https://access.redhat.com/errata/RHSA-2020:5341
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:5342 https://access.redhat.com/errata/RHSA-2020:5342
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:5361 https://access.redhat.com/errata/RHSA-2020:5361
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:5388 https://access.redhat.com/errata/RHSA-2020:5388
Update from RHDM and RHPAM engineering : The kie-server-ee7 zip is primarily for Weblogic/Websphere which I believe we decided to stay on hibernate 5.1.x, we cannot make an upgrade to 5.3.x due to technical reasons. So this CVE is expected to be fixed only for EAP, kie-server-ee8. So we have added two different components for RHDM and RHPAM (hibernate-core-kie-server-ee8 and hibernate-core-kie-server-ee7) as only kie-server-ee8.zip will be fixed and kie-server-ee7.zip won't.
This issue has been addressed in the following products: Red Hat support for Spring Boot 2.3.6 Via RHSA-2021:0292 https://access.redhat.com/errata/RHSA-2021:0292
This issue has been addressed in the following products: RHPAM 7.10.0 Via RHSA-2021:0600 https://access.redhat.com/errata/RHSA-2021:0600
This issue has been addressed in the following products: RHDM 7.10.0 Via RHSA-2021:0603 https://access.redhat.com/errata/RHSA-2021:0603
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:2039 https://access.redhat.com/errata/RHSA-2021:2039
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:2562 https://access.redhat.com/errata/RHSA-2021:2562
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.5 on RHEL 7 Red Hat JBoss Web Server 5.5 on RHEL 8 Via RHSA-2021:2561 https://access.redhat.com/errata/RHSA-2021:2561
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140