24 October 2022 at 14:46 UTC
Updated: 25 October 2022 at 08:00 UTC
Mishandling of untrusted input issue resolved by developers
Security researchers have discovered a serious vulnerability in HyperSQL DataBase (HSQLDB) that poses a remote code execution (RCE) risk.
HSQLDB offers a Java-based SQL relational database system. The technology – which is the second most popular embedded SQL database with 100 million downloads to date – is used for development, testing, and deployment of database applications.
HSQLDB is used by more than 3,120 Maven packages including LibreOffice, JBoss, Log4j, Hibernate, and Spring-Boot as well as various enterprise software packages.
Security researchers from Code Intelligence discovered the RCE vulnerability (tracked as CVE-2022-41853 and rated with a near-maximum CVSS severity score of 9.8) after running a series of fuzzing tests.
More precisely, they found that the parsing procedure for binary and text format data in the java.sql.Statement and java.sql.PreparedStatement components of the technology were flawed.
All versions of the software up to and including HSQLDB version 2.7.0 are vulnerable. Code Intelligence contacted HSQL Development Group, the developers of HSQLDB, who responded promptly by putting together a fix and a workaround that helps safeguard previous versions.
HSQLDB is yet to respond to a request for comment from The Daily Swig but security researchers from Code Intelligence have confirmed that a patch is in the pipeline.
“The issue is already fixed upstream and will be available in the next release,” Code Intelligence said. “From version 2.7.1. the property hsqldb.method_class_names must be defined with a list of class names or wild cards if any Java static method is used as an HSQLDB routine target.”
The previous implementations caused a problem because the use of Java static methods, except those in java.lang.Math, should not be allowed without defining the system property or else problems can arise.
A technical write-up of the issue by Code Intelligence explains the root cause of the problem in more depth.
“By default, SQL statements can be used to call any static method from any Java class in the class path. HSQLDB (HyperSQL DataBase) allowed direct use of methods,” a post on Medium last week explains.
The vulnerability means that using java.sql.Statement or java.sql.PreparedStatement in pre-patch versions of HSQLDB along with untrusted input may leave applications vulnerable to an RCE attack.
In response to queries from The Daily Swig, Khaled Yakdan, co-founder of Code Intelligence, explained that an app does not have to be vulnerable to SQL injection for the issue to come into play.
“The current default configuration allows static methods of any class that is on the classpath to be used,” Yakdan said. “Moreover, direct use of methods is allowed for legacy compatibility.”
Yakdan declined to speculate on which particular apps might be vulnerable, but he was able to explain the impact of the flaw in cases where it was activated.
“We only focus on finding bugs and don’t investigate which code bases are vulnerable,” Yakdan told The Daily Swig. “The impact of this CVE is that if you use HyperSQL to process queries that include (untrusted) user input, attackers may be able to cause your app to execute arbitrary code.”