Skip to content
Close
Login
Login
Roman Wagner 2 min read

Remote Code Execution Vulnerability Discovered in HSQLDB

19.10.2022 - As part of our goal to continuously improve our vulnerability detectors, we continuously test various open-source projects with Jazzer in collaboration with OSS-Fuzz. In this case, a test run yielded a severe finding with a potential remote code execution in a HSQLDB (CVE-2022-41853).

Vulnerability Description

A potential remote code execution vulnerability was detected in java.sql.Statement and java.sql.PreparedStatement, in the parsing procedure for binary and text format data. By default, SQL statements can be used to call any static method from any Java class in the class path. HSQLDB (HyperSQL DataBase) allowed direct use of methods, e.g. call org.hsqldb.clazz.meth().

Affected versions: all versions <= 2.7.0

Impact of CVE-2022-41853

Critical - CVSS Base Score: 9.8

Applications that are using java.sql.Statement or java.sql.PreparedStatement in HSQLDB with untrusted input may be vulnerable to a remote code execution attack.

The library ranks 139th in the Maven repository and 2nd in embedded SQL databases. It is used by more than 3,113 Maven packages including LibreOffice, JBoss, Log4j, Hibernate, Spring-Boot (having thousands of usages with the potential of transitive risk), and various enterprise software solutions.

Remediation and Mitigation

If HSQLDB is used to process queries with user input, the hsqldb.method_class_names property must be defined with a list of class names or wildcards in case a static Java method is used as a target of an HSQLDB routine. Without a property definition, the use of Java static methods, except those in java.lang.Math, should not be allowed. Developers can prevent the issue by defining the system property. For example:

System.setProperty("hsqldb.method_class_names", "abc");

or 

java -Dhsqldb.method_class_names="abc"

The issue is already fixed upstream and will be available in the next release. From version 2.7.1. the property hsqldb.method_class_names must be defined with a list of class names or wild cards if any Java static method is used as an HSQLDB routine target.

References

http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7

About HSQLQDB

HSQLDB (HyperSQL DataBase) is a popular SQL relational database system written in Java. It is used for development, testing, and deployment of database applications. The library, which gets maintained by the HSQL Development Group, ranks 139th in the Maven repository and 2nd in embedded SQL databases and has been downloaded over 100 million times.

Acknowledgments

We are grateful to the HSQLDB maintainers for quickly responding to the issue and providing a fix and a workaround for current versions.