Bug 2136141 (CVE-2022-41853) - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack
Summary: CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-41853
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2136239 2138725 2138726 2138727 2138728 2138729 2138730 2138731 2138732 2138733 2138734 2138735
Blocks: 2136142
TreeView+ depends on / blocked
 
Reported: 2022-10-19 12:25 UTC by Patrick Del Bello
Modified: 2023-01-16 03:50 UTC (History)
72 users (show)

Fixed In Version: hsqldb 2.7.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.
Clone Of:
Environment:
Last Closed: 2022-12-08 23:03:03 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8559 0 None None None 2022-11-21 16:04:29 UTC
Red Hat Product Errata RHSA-2022:8560 0 None None None 2022-11-21 16:17:40 UTC
Red Hat Product Errata RHSA-2022:8652 0 None None None 2022-11-28 14:40:21 UTC

Description Patrick Del Bello 2022-10-19 12:25:24 UTC
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7

Comment 5 Caolan McNamara 2022-10-31 20:32:20 UTC
For LibreOffice this sounds the same as: https://www.openoffice.org/security/cves/CVE-2007-4575.html which was addressed in 2007 with https://cgit.freedesktop.org/libreoffice/core/commit/?id=0aee25d265b6e763f4fa09ade76ec152edf0bc89 and https://cgit.freedesktop.org/libreoffice/core/commit/?id=66062454bbf3f80dfdeb543c77f526b1af880d0a which makes use of hsqldb.method_class_names and sets a default of nothing.

Comment 6 Stephan Bergmann 2022-11-01 12:55:37 UTC
(In reply to Caolan McNamara from comment #5)
> For LibreOffice this sounds the same as:
> https://www.openoffice.org/security/cves/CVE-2007-4575.html which was
> addressed in 2007 with
> https://cgit.freedesktop.org/libreoffice/core/commit/
> ?id=0aee25d265b6e763f4fa09ade76ec152edf0bc89 and
> https://cgit.freedesktop.org/libreoffice/core/commit/
> ?id=66062454bbf3f80dfdeb543c77f526b1af880d0a which makes use of
> hsqldb.method_class_names and sets a default of nothing.

I agree with that analysis.  As I just replied at <security>:  "That looks plausible to me:  Apparently, the original hsqldb commit <https://sourceforge.net/p/hsqldb/svn/2750> 'External Java method security update' and its follow-up <https://sourceforge.net/p/hsqldb/svn/2752> 'External Java method security update', both from 2007, introducing the hsqldb.method_class_names system property mechanism, were done in tandem with the cited OOo-era commits that unconditionally set that property (and which is still effective in recent LO master).  That combination of hsqldb and OOo commits apparently addressed CVE-2007-4575 back then.

"Therefore, the recent hsqldb commit <https://sourceforge.net/p/hsqldb/svn/6614> 'core code updates - Java methods used in routines must now be in hsqldb.method_class_names value string' (which appears to be the response to CVE-2022-41853, changing the hsqldb.method_class_names system property mechanism from 'opt-in' to 'always enabled') is not relevant for us, as we set that property anyway."

Comment 8 errata-xmlrpc 2022-11-21 16:04:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:8559 https://access.redhat.com/errata/RHSA-2022:8559

Comment 9 errata-xmlrpc 2022-11-21 16:17:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:8560 https://access.redhat.com/errata/RHSA-2022:8560

Comment 10 errata-xmlrpc 2022-11-28 14:40:17 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652

Comment 11 Product Security DevOps Team 2022-12-08 23:02:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41853


Note You need to log in before you can comment on or make changes to this bug.