JVN#90729322
Hibernate ORM vulnerable to SQL injection
Overview
Hibernate ORM is vulnerable to SQL injection.
Products Affected
- Hibernate ORM, versions prior to 5.4.24
- Hibernate ORM, versions prior to 5.3.20
Description
Hibernate ORM is an ORM framework for Java.
Hibernate ORM can be configured (hibernate.use_sql_comments to true, which is false by default) to add comments to generated SQL statements, aimed at debugging purpose.
When hibernate.use_sql_comments is configured to true, malicious input may produce unexpected SQL statements (CWE-89).
Impact
When hibernate.use_sql_comments is configured to true, malicious input may lead to SQL injection.
Solution
Update the Software
Update the Hibernate ORM to the latest version, according to the information from the developer.
Workarounds
set hibername.use_sql_comments to false.
Vendor Status
| Vendor | Link |
| Hibernate Project | HHH-14225: CVE-2020-25638 Potential for SQL injection on use_sql_comments logging enabled |
| Red Hat | Red Hat CVE Database: CVE-2020-25638 |
| Red Hat Bugzilla - Bug 1881353 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
TERASOLUNA Framework Development Team of NTT DATA reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-25638 |
| JVN iPedia |
JVNDB-2020-000074 |