121 lines
10 KiB
XML
121 lines
10 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for hsqldb1 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2023-1944</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2023-12-22</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2023-12-22</InitialReleaseDate>
|
|
<CurrentReleaseDate>2023-12-22</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2023-12-22</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">hsqldb1 security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for hsqldb1 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small (about 100k), fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as a minimal web server, in-memory query and management tools (can be run as applets or servlets, too) and a number of demonstration examples. Downloaded code should be regarded as being of production quality. The product is currently being used as a database and persistence engine in many Open Source Software projects and even in commercial projects and products! In it's current version it is extremely stable and reliable. It is best known for its small size, ability to execute completely in memory and its speed. Yet it is a completely functional relational database management system that is completely free under the Modified BSD License. Yes, that's right, completely free of cost or restrictions!
|
|
|
|
Security Fix(es):
|
|
|
|
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.(CVE-2022-41853)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for hsqldb1 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2.
|
|
|
|
openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Critical</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">hsqldb1</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1944</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-41853</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-41853</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">openEuler-20.03-LTS-SP4</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">openEuler-22.03-LTS-SP1</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">openEuler-22.03-LTS-SP2</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="noarch">
|
|
<FullProductName ProductID="hsqldb1-javadoc-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hsqldb1-javadoc-1.8.1.3-3.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hsqldb1-1.8.1.3-3.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">hsqldb1-1.8.1.3-3.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-javadoc-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">hsqldb1-javadoc-1.8.1.3-3.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-javadoc-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">hsqldb1-javadoc-1.8.1.3-3.oe2003sp4.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">hsqldb1-1.8.1.3-3.oe2003sp4.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">hsqldb1-1.8.1.3-3.oe2203.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-javadoc-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">hsqldb1-javadoc-1.8.1.3-3.oe2203.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-javadoc-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">hsqldb1-javadoc-1.8.1.3-3.oe2203sp1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">hsqldb1-1.8.1.3-3.oe2203sp1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-javadoc-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">hsqldb1-javadoc-1.8.1.3-3.oe2203sp2.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">hsqldb1-1.8.1.3-3.oe2203sp2.noarch.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hsqldb1-1.8.1.3-3.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">hsqldb1-1.8.1.3-3.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">hsqldb1-1.8.1.3-3.oe2003sp4.src.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">hsqldb1-1.8.1.3-3.oe2203.src.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">hsqldb1-1.8.1.3-3.oe2203sp1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="hsqldb1-1.8.1.3-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">hsqldb1-1.8.1.3-3.oe2203sp2.src.rpm</FullProductName>
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property hsqldb.method_class_names to classes which are allowed to be called. For example, System.setProperty( hsqldb.method_class_names , abc ) or Java argument -Dhsqldb.method_class_names= abc can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-12-22</ReleaseDate>
|
|
<CVE>CVE-2022-41853</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP4</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP2</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Critical</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>9.8</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>hsqldb1 security update</Description>
|
|
<DATE>2023-12-22</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1944</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc> |