An update for hsqldb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1924 Final 1.0 1.0 2023-12-15 Initial 2023-12-15 2023-12-15 openEuler SA Tool V1.0 2023-12-15 hsqldb security update An update for hsqldb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small (about 100k), fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as a minimal web server, in-memory query and management tools (can be run as applets or servlets, too) and a number of demonstration examples. Downloaded code should be regarded as being of production quality. The product is currently being used as a database and persistence engine in many Open Source Software projects and even in commercial projects and products! In it's current version it is extremely stable and reliable. It is best known for its small size, ability to execute completely in memory and its speed. Yet it is a completely functional relational database management system that is completely free under the Modified BSD License. Yes, that's right, completely free of cost or restrictions! Security Fix(es): Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.(CVE-2022-41853) An update for hsqldb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical hsqldb https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1924 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-41853 https://nvd.nist.gov/vuln/detail/CVE-2022-41853 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 hsqldb-lib-2.4.0-3.oe1.noarch.rpm hsqldb-demo-2.4.0-3.oe1.noarch.rpm hsqldb-2.4.0-3.oe1.noarch.rpm hsqldb-javadoc-2.4.0-3.oe1.noarch.rpm hsqldb-manual-2.4.0-3.oe1.noarch.rpm hsqldb-lib-2.4.0-4.oe1.noarch.rpm hsqldb-javadoc-2.4.0-4.oe1.noarch.rpm hsqldb-2.4.0-4.oe1.noarch.rpm hsqldb-demo-2.4.0-4.oe1.noarch.rpm hsqldb-manual-2.4.0-4.oe1.noarch.rpm hsqldb-manual-2.4.0-4.oe2203.noarch.rpm hsqldb-javadoc-2.4.0-4.oe2203.noarch.rpm hsqldb-2.4.0-4.oe2203.noarch.rpm hsqldb-demo-2.4.0-4.oe2203.noarch.rpm hsqldb-lib-2.4.0-4.oe2203.noarch.rpm hsqldb-lib-2.4.0-5.oe2203sp1.noarch.rpm hsqldb-javadoc-2.4.0-5.oe2203sp1.noarch.rpm hsqldb-demo-2.4.0-5.oe2203sp1.noarch.rpm hsqldb-manual-2.4.0-5.oe2203sp1.noarch.rpm hsqldb-2.4.0-5.oe2203sp1.noarch.rpm hsqldb-lib-2.4.0-5.oe2203sp2.noarch.rpm hsqldb-2.4.0-5.oe2203sp2.noarch.rpm hsqldb-demo-2.4.0-5.oe2203sp2.noarch.rpm hsqldb-manual-2.4.0-5.oe2203sp2.noarch.rpm hsqldb-javadoc-2.4.0-5.oe2203sp2.noarch.rpm hsqldb-2.4.0-3.oe1.src.rpm hsqldb-2.4.0-4.oe1.src.rpm hsqldb-2.4.0-4.oe2203.src.rpm hsqldb-2.4.0-5.oe2203sp1.src.rpm hsqldb-2.4.0-5.oe2203sp2.src.rpm Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property hsqldb.method_class_names to classes which are allowed to be called. For example, System.setProperty( hsqldb.method_class_names , abc ) or Java argument -Dhsqldb.method_class_names= abc can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled. 2023-12-15 CVE-2022-41853 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H hsqldb security update 2023-12-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1924