Bug 1193832 - (CVE-2020-25638) VUL-0: CVE-2020-25638: hibernate5: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used
(CVE-2020-25638)
VUL-0: CVE-2020-25638: hibernate5: SQL injection vulnerability when both hibe...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Michael Calmer
Security Team bot
https://smash.suse.de/issue/271658/
CVSSv3.1:SUSE:CVE-2020-25638:7.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-16 15:43 UTC by Gabriele Sonnu
Modified: 2022-02-28 20:26 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2021-12-16 15:43:44 UTC
A flaw was found in Hibernate ORM of all versions before and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to retrieve/update/delete unauthorized information if only the attacker already has the table names and column names.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1881353
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25638
https://www.oracle.com/security-alerts/cpujul2021.html#CVE-2020-25638
http://www.debian.org/security/-1/dsa-4908
https://www.debian.org/security/2021/dsa-4908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25638
Comment 1 Gabriele Sonnu 2021-12-16 15:45:08 UTC
Affected packages:

 - SUSE:SLE-15-SP2:Update:Products:Manager41:Update/hibernate5  5.3.7
 - SUSE:SLE-15-SP3:Update:Products:Manager42:Update/hibernate5  5.3.7

Upstream commit:

https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78
Comment 2 Michael Calmer 2021-12-16 16:30:31 UTC
Seems this is public for more than a year already. So I think we can fix it just with our next regular Maintenance updates and do not need to schedule an extra update.

Do you agree?
Comment 4 Gabriele Sonnu 2021-12-17 09:03:33 UTC
I agree, the fix can be released with the next Maintenance window.
Comment 9 Swamp Workflow Management 2022-01-28 17:20:46 UTC
SUSE-RU-2022:0224-1: An update that has 28 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1173103,1173143,1184617,1187673,1187708,1188505,1188900,1190114,1190446,1191192,1191222,1191285,1191313,1191340,1191377,1191412,1191442,1191656,1191702,1191899,1192487,1192514,1192736,1193008,1193585,1193612,1193694,1193832
CVE References: 
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    release-notes-susemanager-4.1.13-3.67.1
SUSE Manager Retail Branch Server 4.1 (src):    release-notes-susemanager-proxy-4.1.13-3.50.1
SUSE Manager Proxy 4.1 (src):    release-notes-susemanager-proxy-4.1.13-3.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-01-28 17:24:16 UTC
SUSE-SU-2022:0225-1: An update that solves one vulnerability and has 27 fixes is now available.

Category: security (moderate)
Bug References: 1173103,1173143,1184617,1187708,1188505,1188900,1190114,1190446,1191192,1191222,1191285,1191313,1191340,1191377,1191412,1191442,1191656,1191702,1191899,1192487,1192514,1192736,1193008,1193585,1193612,1193694,1193832,1194990
CVE References: CVE-2020-25638
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    hibernate5-5.3.7-3.6.1, mgr-libmod-4.1.10-3.25.2, mgr-osad-4.1.6-2.12.2, prometheus-formula-0.3.5-3.15.1, py27-compat-salt-3000.3-6.18.1, spacecmd-4.1.16-4.33.2, spacewalk-admin-4.1.11-3.18.2, spacewalk-backend-4.1.30-4.47.2, spacewalk-certs-tools-4.1.20-3.25.2, spacewalk-client-tools-4.1.11-4.18.2, spacewalk-java-4.1.43-3.63.1, spacewalk-reports-4.1.5-3.9.1, spacewalk-setup-4.1.10-3.15.2, spacewalk-utils-4.1.19-3.27.2, spacewalk-web-4.1.31-3.39.1, suseRegisterInfo-4.1.4-4.6.2, susemanager-4.1.32-3.42.2, susemanager-doc-indexes-4.1-11.49.2, susemanager-docs_en-4.1-11.49.1, susemanager-schema-4.1.24-3.39.2, susemanager-sls-4.1.32-3.54.1, uyuni-common-libs-4.1.10-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-02-28 20:20:36 UTC
SUSE-SU-2022:0593-1: An update that solves one vulnerability and has 29 fixes is now available.

Category: security (moderate)
Bug References: 1097531,1173103,1189561,1190781,1191192,1191285,1191857,1192321,1192368,1192440,1192487,1192510,1192514,1192550,1192566,1192699,1192776,1193008,1193292,1193565,1193585,1193612,1193694,1193832,1194044,1194397,1194862,1194905,1194990,1195171
CVE References: CVE-2020-25638
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    c3p0-0.9.5.2-150300.4.3.1, dhcpd-formula-0.1.1641480250.d5bd14c-150300.3.3.1, hibernate5-5.3.7-150300.5.3.1, inter-server-sync-0.0.7-150300.8.9.1, mgr-libmod-4.2.7-150300.3.6.1, mgr-osad-4.2.7-150300.2.6.1, mgr-push-4.2.4-150300.2.6.1, py27-compat-salt-3000.3-150300.7.7.17.1, rhnlib-4.2.5-150300.4.6.1, salt-netapi-client-0.19.0-150300.3.3.1, saltboot-formula-0.1.1637232240.87d79ed-150300.3.6.1, spacecmd-4.2.15-150300.4.15.1, spacewalk-backend-4.2.19-150300.4.15.1, spacewalk-branding-4.2.12-150300.3.6.1, spacewalk-client-tools-4.2.16-150300.4.15.1, spacewalk-config-4.2.5-150300.3.3.1, spacewalk-java-4.2.32-150300.3.20.1, spacewalk-reports-4.2.7-150300.3.9.1, spacewalk-search-4.2.6-150300.3.6.1, spacewalk-setup-4.2.10-150300.3.12.1, spacewalk-utils-4.2.15-150300.3.12.1, spacewalk-web-4.2.25-150300.3.15.2, suseRegisterInfo-4.2.5-150300.4.6.1, susemanager-4.2.27-150300.3.19.1, susemanager-doc-indexes-4.2-150300.12.19.1, susemanager-docs_en-4.2-150300.12.19.1, susemanager-schema-4.2.20-150300.3.15.1, susemanager-sls-4.2.20-150300.3.17.1, uyuni-common-libs-4.2.6-150300.3.6.1, uyuni-config-formula-0.2-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-02-28 20:26:15 UTC
SUSE-RU-2022:0598-1: An update that has 31 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1097531,1173103,1189561,1190781,1191192,1191285,1191857,1192321,1192368,1192440,1192487,1192510,1192514,1192550,1192566,1192699,1192776,1193008,1193292,1193565,1193585,1193600,1193612,1193694,1193832,1194044,1194397,1194862,1194905,1194990,1195171
CVE References: 
JIRA References: 
Sources used:
SUSE Manager Server 4.2 (src):    release-notes-susemanager-4.2.5-150300.3.27.1
SUSE Manager Retail Branch Server 4.2 (src):    release-notes-susemanager-proxy-4.2.5-150300.3.21.1
SUSE Manager Proxy 4.2 (src):    release-notes-susemanager-proxy-4.2.5-150300.3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.