An update for hibernate4 is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1137 Final 1.0 1.0 2021-04-07 Initial 2021-04-07 2021-04-07 openEuler SA Tool V1.0 2021-04-07 hibernate4 security update An update for hibernate4 is now available for openEuler-20.03-LTS-SP1. Hibernate is a powerful, ultra-high performance object/relational persistence and query service for Java. Hibernate lets you develop persistent objects following common Java idiom - including association, inheritance, polymorphism, composition and the Java collections framework. Extremely fine-grained, richly typed object models are possible. The Hibernate Query Language, designed as a "minimal" object-oriented extension to SQL, provides an elegant bridge between the object and relational worlds. Hibernate is now the most popular ORM solution for Java. Security Fix(es): A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.(CVE-2019-14900) An update for hibernate4 is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium hibernate4 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1137 https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-14900 https://nvd.nist.gov/vuln/detail/CVE-2019-14900 openEuler-20.03-LTS-SP1 hibernate4-osgi-4.3.11-3.oe1.noarch.rpm hibernate4-javadoc-4.3.11-3.oe1.noarch.rpm hibernate4-testing-4.3.11-3.oe1.noarch.rpm hibernate4-core-4.3.11-3.oe1.noarch.rpm hibernate4-hikaricp-4.3.11-3.oe1.noarch.rpm hibernate4-proxool-4.3.11-3.oe1.noarch.rpm hibernate4-ehcache-4.3.11-3.oe1.noarch.rpm hibernate4-parent-4.3.11-3.oe1.noarch.rpm hibernate4-infinispan-4.3.11-3.oe1.noarch.rpm hibernate4-envers-4.3.11-3.oe1.noarch.rpm hibernate4-entitymanager-4.3.11-3.oe1.noarch.rpm hibernate4-c3p0-4.3.11-3.oe1.noarch.rpm hibernate4-4.3.11-3.oe1.src.rpm A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. 2021-04-07 CVE-2019-14900 openEuler-20.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N hibernate4 security update 2021-04-07 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1137