Published:2020/11/19  Last Updated:2020/11/19

JVN#90729322
Hibernate ORM vulnerable to SQL injection

Overview

Hibernate ORM is vulnerable to SQL injection.

Products Affected

  • Hibernate ORM, versions prior to 5.4.24
  • Hibernate ORM, versions prior to 5.3.20

Description

Hibernate ORM is an ORM framework for Java.
Hibernate ORM can be configured (hibernate.use_sql_comments to true, which is false by default) to add comments to generated SQL statements, aimed at debugging purpose.
When hibernate.use_sql_comments is configured to true, malicious input may produce unexpected SQL statements (CWE-89).

Impact

When hibernate.use_sql_comments is configured to true, malicious input may lead to SQL injection.

Solution

Update the Software
Update the Hibernate ORM to the latest version, according to the information from the developer.

Workarounds
set hibername.use_sql_comments to false.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score: 7.4
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N
Base Score: 4.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

TERASOLUNA Framework Development Team of NTT DATA reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-25638
JVN iPedia JVNDB-2020-000074