CVE-2017-7536: Privilege escalation when running under the security manager

Description Andrej Nemec 2017-06-27 16:26:07 UTC

A vulnerability which allows for a potential privilege escalation was found in the Hibernate Validator. If a security manager is present and HV itself is allowed to access private members reflectively as per the SM’s configuration, that’ll allow calling code without that permission to get hold of private state. The attack vector is to declare a constraint on a private member using XML, validate an invalid instance of that type and access the private member value via ConstraintViolation#getInvalidValue().

Comment 1 Andrej Nemec 2017-06-27 16:26:41 UTC

Acknowledgments:

Name: Gunnar Morling (Red Hat)

Comment 2 Gunnar Morling 2017-07-06 13:10:27 UTC

Hi, we’d like to know how to proceed in this matter. Specifically we are about to release Hibernate Validator 6 (the reference implementation of Bean Validation 2.0) soon. Can we provide a fix for that issue in this new major version at this point in time? Our plan is to check for a specific permission which the caller must possess in order to validate constraints on private members when a security manager is enabled. We’d like to be sure though whether we can provide this solution while this bug record for Hibernate Validator 5.x still is open. Thanks!

Comment 11 Jason Shepherd 2017-09-07 03:30:33 UTC

Red Hat Mobile Platform Millicore component does run with a security manager enabled, marking it as not affected.

Comment 15 errata-xmlrpc 2017-09-26 19:16:13 UTC

This issue has been addressed in the following products:

Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811

Comment 20 errata-xmlrpc 2017-12-13 18:54:51 UTC

This issue has been addressed in the following products:

Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458

Comment 21 Salvatore Bonaccorso 2017-12-28 08:57:57 UTC

Hi

Would it be possible to indicate where the issue was fixed? In Debian we ship libhibernate-validator-java and we would like to clarify if/how we are affected by the issue. Is there any furher reference?

Thank you already!

Regards, Salvatore

Comment 23 Fabio Olive Leite 2017-12-28 17:19:16 UTC

Setting needinfo to Bharti Kundal so that she sees it.

Comment 24 Bharti Kundal 2018-01-02 07:57:01 UTC

(In reply to Salvatore Bonaccorso from comment #21) > Hi

Would it be possible to indicate where the issue was fixed? In Debian we ship libhibernate-validator-java and we would like to clarify if/how we are affected by the issue. Is there any furher reference?

Thank you already!

Regards, Salvatore

Hi Salvatore,

The issue affected all the HV 5.x branches (so 5.2, 5.3, 5.4 are all affected). 6 is not.

It’s fixed in the upstream 5.2 branch .The branch is here: https://github.com/hibernate/hibernate-validator/tree/5.2

Does this help?

Thanks and Regards, Bharti

Comment 25 Salvatore Bonaccorso 2018-01-02 08:18:17 UTC

Hi Bharti!

(In reply to Bharti Kundal from comment #24) > (In reply to Salvatore Bonaccorso from comment #21)

Hi

Would it be possible to indicate where the issue was fixed? In Debian we ship libhibernate-validator-java and we would like to clarify if/how we are affected by the issue. Is there any furher reference?

Thank you already!

Regards, Salvatore

Hi Salvatore,

The issue affected all the HV 5.x branches (so 5.2, 5.3, 5.4 are all affected). 6 is not.

It’s fixed in the upstream 5.2 branch .The branch is here: https://github.com/hibernate/hibernate-validator/tree/5.2

Does this help?

Yes, thanks, that helps!

Regards, Salvatore