Headline
HyperSQL DataBase flaw leaves library vulnerable to RCE
Mishandling of untrusted input issue resolved by developers
John Leyden 24 October 2022 at 14:46 UTC
Mishandling of untrusted input issue resolved by developers
Security researchers have discovered a serious vulnerability in HyperSQL DataBase (HSQLDB) that poses a remote code execution (RCE) risk.
HSQLDB offers a Java-based SQL relational database system. The technology – which is the second most popular embedded SQL database with 100 million downloads to date – is used for development, testing, and deployment of database applications.
HSQLDB is used by more than 3,120 Maven packages including LibreOffice, JBoss, Log4j, Hibernate, and Spring-Boot as well as various enterprise software packages.
Parsing problem
Security researchers from Code Intelligence discovered the RCE vulnerability (tracked as CVE-2022-41853 and rated with a near-maximum CVSS severity score of 9.8) after running a series of fuzzing tests.
More precisely, they found that the parsing procedure for binary and text format data in the java.sql.Statement and java.sql.PreparedStatement components of the technology were flawed.
All versions of the software up to and including HSQLDB version 2.7.0 are vulnerable. Code Intelligence contacted HSQL Development Group, the developers of HSQLDB, who responded promptly by putting together a fix and a workaround that helps safeguard previous versions.
Catch up on the latest secure development news and analysis
HSQLDB is yet to respond to a request for comment from The Daily Swig but security researchers from Code Intelligence have confirmed that a patch is in the pipeline.
“The issue is already fixed upstream and will be available in the next release,” Code Intelligence said. “From version 2.7.1. the property hsqldb.method_class_names must be defined with a list of class names or wild cards if any Java static method is used as an HSQLDB routine target.”
The previous implementations caused a problem because the use of Java static methods, except those in java.lang.Math, should not be allowed without defining the system property or else problems can arise.
Root cause
A technical write-up of the issue by Code Intelligence explains the root cause of the problem in more depth.
“By default, SQL statements can be used to call any static method from any Java class in the class path. HSQLDB (HyperSQL DataBase) allowed direct use of methods,” a post on Medium last week explains.
The vulnerability means that using java.sql.Statement or java.sql.PreparedStatement in pre-patch versions of HSQLDB along with untrusted input may leave applications vulnerable to an RCE attack.
In response to queries from The Daily Swig, Khaled Yakdan, co-founder of Code Intelligence, explained that an app does not have to be vulnerable to SQL injection for the issue to come into play.
“The current default configuration allows static methods of any class that is on the classpath to be used,” Yakdan said. “Moreover, direct use of methods is allowed for legacy compatibility.”
Yakden declined to speculate on which particular apps might be vulnerable, but he was able to explain the impact of the flaw in cases where it was activated.
“We only focus on finding bugs and don’t investigate which code bases are vulnerable,” Yakden told The Daily Swig. “The impact of this CVE is that if you use HyperSQL to process queries that include (untrusted) user input, attackers may be able to cause your app to execute arbitrary code.”
RELATED Apache Commons Text RCE: Resemblance to Log4Shell but exposure risk is ‘much lower’
Related news
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37533: A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about service...
Red Hat Security Advisory 2023-1514-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.
Red Hat Security Advisory 2023-1512-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1471: A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE). * CVE-2022-4492: A flaw was found in undertow. The undertow c...
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Debian Linux Security Advisory 5313-1 - It was found that those using java.sql.Statement or java.sql.PreparedStatement in hsqldb, a Java SQL database, to process untrusted input may be vulnerable to a remote code execution attack.
Red Hat Security Advisory 2022-8652-01 - This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.
A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-8331: bootstrap: XSS in the tooltip or popover data-template attribute * CVE-2021-3717: wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users * CVE-2021-31684: json-smart: Denial of Service in...
Red Hat Security Advisory 2022-8560-01 - The hsqldb packages provide a relational database management system written in Java. The Hyper Structured Query Language Database contains a JDBC driver to support a subset of ANSI-92 SQL.
Red Hat Security Advisory 2022-8559-01 - The hsqldb packages provide a relational database management system written in Java. The Hyper Structured Query Language Database contains a JDBC driver to support a subset of ANSI-92 SQL.
An update for hsqldb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41853: hsqldb: Untrusted input may lead to RCE attack
An update for hsqldb is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41853: hsqldb: Untrusted input may lead to RCE attack
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.