CVE-2020-25638 Potential for SQL injection on use_sql_comments logging enabled

Description

This is a security fix relating to https://access.redhat.com/security/cve/CVE-2020-25638 .

The flaw has been present in Hibernate ORM since many years, so many older versions are affected.

An upgrade is recommended, but if you are using a very old version which makes it difficult to upgrade to the latest supported versions (series 5.4 and 5.3 at time of writing this), you can disable SQL comments by setting:

hibernate.use_sql_comments=false

This also is the default, so if you didn’t set the use_sql_comments at all you are not affected.

The problem

Hibernate ORM correctly sanitises Query parameters and the SQL it performs, but when the option use_sql_comments it will also include a comment in the SQL which is sent to the relational database; the comment itself could possibly include escape sequences, modifying the semantics of the executed SQL statement.

Environment

None

Activity

Show:
Sanne Grinovero
February 16, 2021, 10:14 AM

good point, I’ll forward your suggestion to the security team. Thanks!

Colm O hEigeartaigh
February 16, 2021, 8:33 AM

Could the CVE be updated to reflect the fact that it’s also fixed in 5.3.20? Right now only says the fix is in 5.4.24.

Fixed

Assignee

Sanne Grinovero

Reporter

Sanne Grinovero

Fix versions

Labels

None

backPortable

None

Suitable for new contributors

None

Requires Release Note

None

Pull Request

None

backportDecision

None

Priority

Blocker