Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Affecting eap7-infinispan-core package, versions <0:11.0.17-1.Final_redhat_00001.1.el7eap


Severity

Recommended
high

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
2.5% (90th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL7-EAP7INFINISPANCORE-5311197
  • published19 Oct 2022
  • disclosed6 Oct 2022

Introduced: 6 Oct 2022

CVE-2022-41853  (opens in a new tab)
CWE-470  (opens in a new tab)

How to fix?

Upgrade RHEL:7 eap7-infinispan-core to version 0:11.0.17-1.Final_redhat_00001.1.el7eap or higher.
This issue was patched in RHSA-2023:1512.

NVD Description

Note: Versions mentioned in the description apply only to the upstream eap7-infinispan-core package and not the eap7-infinispan-core package as distributed by RHEL. See How to fix? for RHEL:7 relevant fixed versions and status.

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

CVSS Scores

version 3.1