cbcvebase.
CVE-2022-41853
published 2022-10-06

CVE-2022-41853: Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.52%
87.8th percentile
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianhsqldb< hsqldb 2.7.1-1 (bookworm)hsqldb 2.7.1-1 (bookworm)
hsqldbhypersql_database< 2.7.12.7.1
hypersql_databasehsqldb>= 0 < 2.5.1-1+deb11u12.5.1-1+deb11u1
hypersql_databasehsqldb>= 0 < 2.7.1-12.7.1-1
hypersql_databasehsqldb>= 0 < 2.7.1-12.7.1-1
hypersql_databasehsqldb>= 0 < 2.7.1-12.7.1-1
hypersql_databasehsqldb>= unspecified < 2.7.12.7.1

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation of CVE-2022-41853 involves calling arbitrary static methods of Java classes via hsqldb SQL statements (java.sql.Statement or java.sql.PreparedStatement) with untrusted input, resulting in remote code execution.
  • Monitor for the absence or misconfiguration of the JVM system property 'hsqldb.method_class_names'; if this property is not set, all static methods on the classpath are accessible and exploitation may be occurring.
  • Detect hsqldb versions prior to 2.7.1 in use; these versions allow unrestricted static method invocation by default and are vulnerable.
  • Alert on Java process command lines that do NOT include '-Dhsqldb.method_class_names' when running hsqldb-based applications processing untrusted SQL input, as this indicates the default unsafe configuration.
  • ·By default (pre-2.7.1), hsqldb allows calling any static method of any Java class on the classpath. The system property 'hsqldb.method_class_names' must be explicitly set to restrict access. A value ending in '.*' is treated as a wildcard granting access to all classes/methods in that package.
  • ·From hsqldb 2.7.1 onward, all classes are inaccessible by default except those in java.lang.Math, and must be manually enabled via 'hsqldb.method_class_names'.
  • ·Access to Java routines in hsqldb is also governed by database-level EXECUTE privileges (GRANT EXECUTE or GRANT ALL), which provides an additional layer of access control beyond the system property.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_oracle9.8HIGH
vendor_debian8.0HIGH
vendor_redhat8.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.