vulnerability

Amazon Linux AMI 2: CVE-2022-41853: Security patch for hsqldb (ALAS-2023-1914)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Oct 6, 2022	Jan 24, 2023	Jan 30, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Oct 6, 2022

Added

Jan 24, 2023

Modified

Jan 30, 2025

Description

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Solution(s)

amazon-linux-ami-2-upgrade-hsqldbamazon-linux-ami-2-upgrade-hsqldb-demoamazon-linux-ami-2-upgrade-hsqldb-javadocamazon-linux-ami-2-upgrade-hsqldb-manual

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today