CVE-2022-41853
published 2022-10-06CVE-2022-41853: Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.52%
87.8th percentile
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | hsqldb | < hsqldb 2.7.1-1 (bookworm) | hsqldb 2.7.1-1 (bookworm) |
| hsqldb | hypersql_database | < 2.7.1 | 2.7.1 |
| hypersql_database | hsqldb | >= 0 < 2.5.1-1+deb11u1 | 2.5.1-1+deb11u1 |
| hypersql_database | hsqldb | >= 0 < 2.7.1-1 | 2.7.1-1 |
| hypersql_database | hsqldb | >= 0 < 2.7.1-1 | 2.7.1-1 |
| hypersql_database | hsqldb | >= 0 < 2.7.1-1 | 2.7.1-1 |
| hypersql_database | hsqldb | >= unspecified < 2.7.1 | 2.7.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation of CVE-2022-41853 involves calling arbitrary static methods of Java classes via hsqldb SQL statements (java.sql.Statement or java.sql.PreparedStatement) with untrusted input, resulting in remote code execution. ↗
- →Monitor for the absence or misconfiguration of the JVM system property 'hsqldb.method_class_names'; if this property is not set, all static methods on the classpath are accessible and exploitation may be occurring. ↗
- →Detect hsqldb versions prior to 2.7.1 in use; these versions allow unrestricted static method invocation by default and are vulnerable. ↗
- →Alert on Java process command lines that do NOT include '-Dhsqldb.method_class_names' when running hsqldb-based applications processing untrusted SQL input, as this indicates the default unsafe configuration. ↗
- ·By default (pre-2.7.1), hsqldb allows calling any static method of any Java class on the classpath. The system property 'hsqldb.method_class_names' must be explicitly set to restrict access. A value ending in '.*' is treated as a wildcard granting access to all classes/methods in that package. ↗
- ·From hsqldb 2.7.1 onward, all classes are inaccessible by default except those in java.lang.Math, and must be manually enabled via 'hsqldb.method_class_names'. ↗
- ·Access to Java routines in hsqldb is also governed by database-level EXECUTE privileges (GRANT EXECUTE or GRANT ALL), which provides an additional layer of access control beyond the system property. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_oracle9.8HIGH
vendor_debian8.0HIGH
vendor_redhat8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Insurance Applications Risk Matrix: Enterprise Edition (HyperSQL Database) — CVE-2022-41853
vendor_oracle·2024-04-15·CVSS 6.7
CVE-2022-41853 [HIGH] Oracle Oracle Insurance Applications Risk Matrix: Enterprise Edition (HyperSQL Database) — CVE-2022-41853
Oracle Oracle Insurance Applications Risk Matrix: Enterprise Edition (HyperSQL Database) vulnerability
CVE: CVE-2022-41853
CVSS: 6.7
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuapr2024 (APR 2024)
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (HyperSQL Database) — CVE-2022-41853
vendor_oracle·2023-07-15·CVSS 9.8
CVE-2022-41853 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: Third Party (HyperSQL Database) — CVE-2022-41853
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (HyperSQL Database) vulnerability
CVE: CVE-2022-41853
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2023 (JUL 2023)
Red Hat
hsqldb: Untrusted input may lead to RCE attack
vendor_redhat·2022-10-06·CVSS 8.0
CVE-2022-41853 [HIGH] CWE-470 hsqldb: Untrusted input may lead to RCE attack
hsqldb: Untrusted input may lead to RCE attack
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
A flaw was found in the HSQLDB package. This flaw allow
Debian
CVE-2022-41853: hsqldb - Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL...
vendor_debian·2022·CVSS 8.0
CVE-2022-41853 [HIGH] CVE-2022-41853: hsqldb - Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL...
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
Scope: local
bookworm: resolved (fixed in 2.7.1-1)
bullseye: resolved (fixed in 2.5.1-1+deb11u1)
forky:
GHSA
HyperSQL DataBase vulnerable to remote code execution when processing untrusted input
ghsa·2022-10-06
CVE-2022-41853 [CRITICAL] CWE-470 HyperSQL DataBase vulnerable to remote code execution when processing untrusted input
HyperSQL DataBase vulnerable to remote code execution when processing untrusted input
Those using `java.sql.Statement` or `java.sql.PreparedStatement` in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, `System.setProperty("hsqldb.method_class_names", "abc")` or Java argument `-Dhsqldb.method_class_names="abc"` can be used. From version 2.7.1 all classes by default are not accessible except those in `java.lang.Math` and need to be manually enabled.
OSV
CVE-2022-41853: Those using java
osv·2022-10-06·CVSS 9.8
CVE-2022-41853 [CRITICAL] CVE-2022-41853: Those using java
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
OSV
HyperSQL DataBase vulnerable to remote code execution when processing untrusted input
osv·2022-10-06
CVE-2022-41853 [CRITICAL] HyperSQL DataBase vulnerable to remote code execution when processing untrusted input
HyperSQL DataBase vulnerable to remote code execution when processing untrusted input
Those using `java.sql.Statement` or `java.sql.PreparedStatement` in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, `System.setProperty("hsqldb.method_class_names", "abc")` or Java argument `-Dhsqldb.method_class_names="abc"` can be used. From version 2.7.1 all classes by default are not accessible except those in `java.lang.Math` and need to be manually enabled.
No detection rules found.
No public exploits indexed.
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed, with
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followe
http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_controlhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7https://lists.debian.org/debian-lts-announce/2022/12/msg00020.htmlhttps://www.debian.org/security/2023/dsa-5313http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_controlhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7https://lists.debian.org/debian-lts-announce/2022/12/msg00020.htmlhttps://www.debian.org/security/2023/dsa-5313
2022-10-06
Published