CVE-2022-41853: Remote code execution in HyperSQL DataBase

First published: Thu Oct 06 2022(Updated: )

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Credit: cve-coordination@google.com

Remedy

By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk). In the example below, the property has been included as an argument to the Java command. java -Dhsqldb.method_class_names="org.me.MyClass;org.you.YourClass;org.you.lib.*" [the rest of the command line] The above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level. The user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method. Once the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC. In hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

collector/redhat-cve
collector/debian-bugs
alias/CVE-2022-41853
collector/security-tracker-debian
collector/nvd-index
agent/type
agent/softwarecombine
agent/first-publish-date
agent/author
agent/remedy
agent/weakness
agent/description
agent/severity
agent/title
collector/mitre-cve
source/MITRE
agent/event
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
agent/references
agent/last-modified-date
agent/tags
agent/trending
package-manager/redhat
package-manager/debian
vendor/hsqldb
canonical/hsqldb hypersql database
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0
version/debian debian linux/11.0

CVE-2022-41853: Remote code execution in HyperSQL DataBase

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact

Affected Software	Affected Version	How to fix
redhat/hsqldb	<2.7.1	2.7.1
redhat/hsqldb	<1:1.8.0.10-13.el6_10	1:1.8.0.10-13.el6_10
redhat/hsqldb	<1:1.8.1.3-15.el7_9	1:1.8.1.3-15.el7_9
redhat/eap7-activemq-artemis-native	<1:1.0.2-3.redhat_00004.1.el8ea	1:1.0.2-3.redhat_00004.1.el8ea
redhat/eap7-apache-mime4j	<0:0.8.9-1.redhat_00001.1.el8ea	0:0.8.9-1.redhat_00001.1.el8ea
redhat/eap7-artemis-native	<1:1.0.2-4.redhat_00004.1.el8ea	1:1.0.2-4.redhat_00004.1.el8ea
redhat/eap7-artemis-wildfly-integration	<0:1.0.7-1.redhat_00001.1.el8ea	0:1.0.7-1.redhat_00001.1.el8ea
redhat/eap7-infinispan	<0:11.0.17-1.Final_redhat_00001.1.el8ea	0:11.0.17-1.Final_redhat_00001.1.el8ea
redhat/eap7-ironjacamar	<0:1.5.11-1.Final_redhat_00001.1.el8ea	0:1.5.11-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-ejb-client	<0:4.0.50-1.Final_redhat_00001.1.el8ea	0:4.0.50-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-metadata	<0:13.4.0-1.Final_redhat_00001.1.el8ea	0:13.4.0-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-server-migration	<0:1.10.0-26.Final_redhat_00025.1.el8ea	0:1.10.0-26.Final_redhat_00025.1.el8ea
redhat/eap7-jbossws-cxf	<0:5.4.8-1.Final_redhat_00001.1.el8ea	0:5.4.8-1.Final_redhat_00001.1.el8ea
redhat/eap7-jbossws-spi	<0:3.4.0-2.Final_redhat_00001.1.el8ea	0:3.4.0-2.Final_redhat_00001.1.el8ea
redhat/eap7-netty	<0:4.1.86-1.Final_redhat_00001.1.el8ea	0:4.1.86-1.Final_redhat_00001.1.el8ea
redhat/eap7-netty-transport-native-epoll	<0:4.1.86-1.Final_redhat_00001.1.el8ea	0:4.1.86-1.Final_redhat_00001.1.el8ea
redhat/eap7-picketlink-federation	<0:2.5.5-22.SP12_redhat_00012.1.el8ea	0:2.5.5-22.SP12_redhat_00012.1.el8ea
redhat/eap7-resteasy	<0:3.15.5-1.Final_redhat_00001.1.el8ea	0:3.15.5-1.Final_redhat_00001.1.el8ea
redhat/eap7-snakeyaml	<0:1.33.0-2.SP1_redhat_00001.1.el8ea	0:1.33.0-2.SP1_redhat_00001.1.el8ea
redhat/eap7-undertow	<0:2.2.23-1.SP2_redhat_00001.1.el8ea	0:2.2.23-1.SP2_redhat_00001.1.el8ea
redhat/eap7-undertow-jastow	<0:2.0.14-1.Final_redhat_00001.1.el8ea	0:2.0.14-1.Final_redhat_00001.1.el8ea
redhat/eap7-wildfly	<0:7.4.10-6.GA_redhat_00002.1.el8ea	0:7.4.10-6.GA_redhat_00002.1.el8ea
redhat/eap7-wildfly-http-client	<0:1.1.16-1.Final_redhat_00002.1.el8ea	0:1.1.16-1.Final_redhat_00002.1.el8ea
redhat/eap7-activemq-artemis-native	<1:1.0.2-3.redhat_00004.1.el9ea	1:1.0.2-3.redhat_00004.1.el9ea
redhat/eap7-apache-mime4j	<0:0.8.9-1.redhat_00001.1.el9ea	0:0.8.9-1.redhat_00001.1.el9ea
redhat/eap7-artemis-native	<1:1.0.2-4.redhat_00004.1.el9ea	1:1.0.2-4.redhat_00004.1.el9ea
redhat/eap7-artemis-wildfly-integration	<0:1.0.7-1.redhat_00001.1.el9ea	0:1.0.7-1.redhat_00001.1.el9ea
redhat/eap7-infinispan	<0:11.0.17-1.Final_redhat_00001.1.el9ea	0:11.0.17-1.Final_redhat_00001.1.el9ea
redhat/eap7-ironjacamar	<0:1.5.11-1.Final_redhat_00001.1.el9ea	0:1.5.11-1.Final_redhat_00001.1.el9ea
redhat/eap7-jboss-ejb-client	<0:4.0.50-1.Final_redhat_00001.1.el9ea	0:4.0.50-1.Final_redhat_00001.1.el9ea
redhat/eap7-jboss-metadata	<0:13.4.0-1.Final_redhat_00001.1.el9ea	0:13.4.0-1.Final_redhat_00001.1.el9ea
redhat/eap7-jboss-server-migration	<0:1.10.0-26.Final_redhat_00025.1.el9ea	0:1.10.0-26.Final_redhat_00025.1.el9ea
redhat/eap7-jbossws-cxf	<0:5.4.8-1.Final_redhat_00001.1.el9ea	0:5.4.8-1.Final_redhat_00001.1.el9ea
redhat/eap7-jbossws-spi	<0:3.4.0-2.Final_redhat_00001.1.el9ea	0:3.4.0-2.Final_redhat_00001.1.el9ea
redhat/eap7-netty	<0:4.1.86-1.Final_redhat_00001.1.el9ea	0:4.1.86-1.Final_redhat_00001.1.el9ea
redhat/eap7-netty-transport-native-epoll	<0:4.1.86-1.Final_redhat_00001.1.el9ea	0:4.1.86-1.Final_redhat_00001.1.el9ea
redhat/eap7-picketlink-federation	<0:2.5.5-22.SP12_redhat_00012.1.el9ea	0:2.5.5-22.SP12_redhat_00012.1.el9ea
redhat/eap7-resteasy	<0:3.15.5-1.Final_redhat_00001.1.el9ea	0:3.15.5-1.Final_redhat_00001.1.el9ea
redhat/eap7-snakeyaml	<0:1.33.0-2.SP1_redhat_00001.1.el9ea	0:1.33.0-2.SP1_redhat_00001.1.el9ea
redhat/eap7-undertow	<0:2.2.23-1.SP2_redhat_00001.1.el9ea	0:2.2.23-1.SP2_redhat_00001.1.el9ea
redhat/eap7-undertow-jastow	<0:2.0.14-1.Final_redhat_00001.1.el9ea	0:2.0.14-1.Final_redhat_00001.1.el9ea
redhat/eap7-wildfly	<0:7.4.10-6.GA_redhat_00002.1.el9ea	0:7.4.10-6.GA_redhat_00002.1.el9ea
redhat/eap7-wildfly-http-client	<0:1.1.16-1.Final_redhat_00002.1.el9ea	0:1.1.16-1.Final_redhat_00002.1.el9ea
redhat/eap7-activemq-artemis-native	<1:1.0.2-3.redhat_00004.1.el7ea	1:1.0.2-3.redhat_00004.1.el7ea
redhat/eap7-apache-mime4j	<0:0.8.9-1.redhat_00001.1.el7ea	0:0.8.9-1.redhat_00001.1.el7ea
redhat/eap7-artemis-native	<1:1.0.2-4.redhat_00004.1.el7ea	1:1.0.2-4.redhat_00004.1.el7ea
redhat/eap7-artemis-wildfly-integration	<0:1.0.7-1.redhat_00001.1.el7ea	0:1.0.7-1.redhat_00001.1.el7ea
redhat/eap7-infinispan	<0:11.0.17-1.Final_redhat_00001.1.el7ea	0:11.0.17-1.Final_redhat_00001.1.el7ea
redhat/eap7-ironjacamar	<0:1.5.11-1.Final_redhat_00001.1.el7ea	0:1.5.11-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-ejb-client	<0:4.0.50-1.Final_redhat_00001.1.el7ea	0:4.0.50-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-metadata	<0:13.4.0-1.Final_redhat_00001.1.el7ea	0:13.4.0-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-server-migration	<0:1.10.0-26.Final_redhat_00025.1.el7ea	0:1.10.0-26.Final_redhat_00025.1.el7ea
redhat/eap7-jbossws-cxf	<0:5.4.8-1.Final_redhat_00001.1.el7ea	0:5.4.8-1.Final_redhat_00001.1.el7ea
redhat/eap7-jbossws-spi	<0:3.4.0-2.Final_redhat_00001.1.el7ea	0:3.4.0-2.Final_redhat_00001.1.el7ea
redhat/eap7-netty	<0:4.1.86-1.Final_redhat_00001.1.el7ea	0:4.1.86-1.Final_redhat_00001.1.el7ea
redhat/eap7-netty-transport-native-epoll	<0:4.1.86-1.Final_redhat_00001.1.el7ea	0:4.1.86-1.Final_redhat_00001.1.el7ea
redhat/eap7-picketlink-federation	<0:2.5.5-22.SP12_redhat_00012.1.el7ea	0:2.5.5-22.SP12_redhat_00012.1.el7ea
redhat/eap7-resteasy	<0:3.15.5-1.Final_redhat_00001.1.el7ea	0:3.15.5-1.Final_redhat_00001.1.el7ea
redhat/eap7-snakeyaml	<0:1.33.0-2.SP1_redhat_00001.1.el7ea	0:1.33.0-2.SP1_redhat_00001.1.el7ea
redhat/eap7-undertow	<0:2.2.23-1.SP2_redhat_00001.1.el7ea	0:2.2.23-1.SP2_redhat_00001.1.el7ea
redhat/eap7-undertow-jastow	<0:2.0.14-1.Final_redhat_00001.1.el7ea	0:2.0.14-1.Final_redhat_00001.1.el7ea
redhat/eap7-wildfly	<0:7.4.10-6.GA_redhat_00002.1.el7ea	0:7.4.10-6.GA_redhat_00002.1.el7ea
redhat/eap7-wildfly-http-client	<0:1.1.16-1.Final_redhat_00002.1.el7ea	0:1.1.16-1.Final_redhat_00002.1.el7ea
debian/hsqldb	<=2.4.1-2	2.4.1-2+deb10u2 2.5.1-1+deb11u2 2.7.1-1+deb12u1 2.7.2-1
Hsqldb Hypersql Database	<2.7.1
Debian Debian Linux	=10.0
Debian Debian Linux	=11.0