CVE-2014-3558
First published: Thu Jul 17 2014(Updated: )
IssueDescription: It was discovered that the implementation of org.hibernate.validator.util.ReflectionHelper together with the permissions required to run Hibernate Validator under the Java Security Manager could allow a malicious application deployed in the same application container to execute several actions with escalated privileges, which might otherwise not be possible. This flaw could be used to perform various attacks, including but not restricted to, arbitrary code execution in systems that are otherwise secured by the Java Security Manager.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.hibernate:hibernate-validator | >=5.0.0<5.1.2 | 5.1.2 |
| maven/org.hibernate:hibernate-validator | >=4.3.0<4.3.2 | 4.3.2 |
| maven/org.hibernate:hibernate-validator | >=4.1.0<4.2.1 | 4.2.1 |
| Red Hat Hibernate Validator | >=4.3.0<4.3.2 | |
| Red Hat Hibernate Validator | >=5.0.0<=5.0.3 | |
| Red Hat Hibernate Validator | >=5.1.0<5.1.2 | |
| Red Hat Hibernate Validator | =4.1.0 | |
| Red Hat Hibernate Validator | =4.2.0 | |
| Red Hat Hibernate Validator | =4.2.0-beta1 | |
| Red Hat Hibernate Validator | =4.2.0-beta2 | |
| Red Hat Hibernate Validator | =4.2.0-cr1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://hibernate.atlassian.net/browse/HV-912
- https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3558.yaml
- https://rhn.redhat.com/errata/RHSA-2014-1288.html
- https://rhn.redhat.com/errata/RHSA-2014-1287.html
- https://rhn.redhat.com/errata/RHSA-2014-1286.html
- https://rhn.redhat.com/errata/RHSA-2014-1285.html
- https://rhn.redhat.com/errata/RHSA-2015-0125.html
- https://rhn.redhat.com/errata/RHSA-2015-0235.html
- https://rhn.redhat.com/errata/RHSA-2015-0234.html
- https://rhn.redhat.com/errata/RHSA-2015-0720.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1120495
- http://rhn.redhat.com/errata/RHSA-2014-1285.html
- http://rhn.redhat.com/errata/RHSA-2014-1286.html
- http://rhn.redhat.com/errata/RHSA-2014-1287.html
- http://rhn.redhat.com/errata/RHSA-2014-1288.html
- http://rhn.redhat.com/errata/RHSA-2015-0125.html
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- https://nvd.nist.gov/vuln/detail/CVE-2014-3558
- https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d
- https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726
- https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c
- https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52
- https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e
- https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870
- https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f
- https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e
- https://github.com/advisories/GHSA-845h-985r-jrqh (Advisory)
Frequently Asked Questions
What is the severity of CVE-2014-3558?
CVE-2014-3558 is considered to have a moderate severity level.
How do I fix CVE-2014-3558?
To fix CVE-2014-3558, upgrade your Hibernate Validator to version 5.1.2 or 4.3.2 or later.
Which versions are affected by CVE-2014-3558?
CVE-2014-3558 affects Hibernate Validator versions prior to 5.1.2 and 4.3.2.
What is the impact of CVE-2014-3558?
The impact of CVE-2014-3558 could allow a malicious application to execute unauthorized code within the same application container.
Is CVE-2014-3558 a Java security issue?
Yes, CVE-2014-3558 is related to security vulnerabilities in the Java Security Manager when using Hibernate Validator.
- collector/redhat-bugzilla
- alias/CVE-2014-3558
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-845h-985r-jrqh
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/maven
- vendor/redhat
- canonical/red hat hibernate validator
- version/red hat hibernate validator/4.3.0
- version/red hat hibernate validator/5.0.0
- version/red hat hibernate validator/5.0.3
- version/red hat hibernate validator/5.1.0
- version/red hat hibernate validator/4.1.0
- version/red hat hibernate validator/4.2.0
- version/red hat hibernate validator/4.2.0-beta1
- version/red hat hibernate validator/4.2.0-beta2
- version/red hat hibernate validator/4.2.0-cr1