19.10.2022 - As part of our goal to continuously improve our vulnerability detectors, we continuously test various open-source projects with Jazzer in collaboration with OSS-Fuzz. In this case, a test run yielded a severe finding with a potential remote code execution in a HSQLDB (CVE-2022-41853). A potential remote code execution vulnerability was detected in Affected versions: all versions <= 2.7.0 Critical - CVSS Base Score: 9.8 Applications that are using The library ranks 139th in the Maven repository and 2nd in embedded SQL databases. It is used by more than 3,113 Maven packages including LibreOffice, JBoss, Log4j, Hibernate, Spring-Boot (having thousands of usages with the potential of transitive risk), and various enterprise software solutions. If HSQLDB is used to process queries with user input, the or The issue is already fixed upstream and will be available in the next release. From version 2.7.1. the property Vulnerability Description
java.sql.Statement and java.sql.PreparedStatement, in the parsing procedure for binary and text format data. By default, SQL statements can be used to call any static method from any Java class in the class path. HSQLDB (HyperSQL DataBase) allowed direct use of methods, e.g. call org.hsqldb.clazz.meth().Impact of CVE-2022-41853
java.sql.Statement or java.sql.PreparedStatement in HSQLDB with untrusted input may be vulnerable to a remote code execution attack.Remediation and Mitigation
hsqldb.method_class_names property must be defined with a list of class names or wildcards in case a static Java method is used as a target of an HSQLDB routine. Without a property definition, the use of Java static methods, except those in java.lang.Math, should not be allowed. Developers can prevent the issue by defining the system property. For example:System.setProperty("hsqldb.method_class_names", "abc");java -Dhsqldb.method_class_names="abc"hsqldb.method_class_names must be defined with a list of class names or wild cards if any Java static method is used as an HSQLDB routine target.