Warning: Remote code execution in Redhat HyperSQL Database package
CVE-2022-41853 (CVSS v3 Base Score: 9.8)
Sources
https://access.redhat.com/security/cve/CVE-2022-41853
Risks
The vulnerable versions of HSQLDB do not sufficiently prevent untrusted user input from selecting improper classes or code to invoke, which can lead to Remote Code Execution (RCE).
Description
If the java.sql.Statement or java.sql.PreparedStatement in HSQLDB is used to process untrusted input, then the system is vulnerable to a RCE attack of low complexity with a high impact on confidentiality, integrity and availability.
This is due to the default behaviour of the vulnerable HSQLDB versions that allows a user to call any static method of any Java class in the classpath. An attacker with network access could supply values to select unexpected classes or methods and create control flow paths that were not intended by the developer. These paths can bypass authentication or access control checks. The attacker can then upload files in the application’s classpath that can lead to RCE on the affected system and provide the attacker with a foothold in the organisation.
Recommended Actions
Patch Redhat’s HSQLDB package to version 2.7.1
References
https://bugzilla.redhat.com/show_bug.cgi?id=2136141
https://cwe.mitre.org/data/definitions/470.html