CVE-2017-7536

Impact:
Moderate
Public Date:
2017-09-26
Bugzilla:
1465573: CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager
It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

Find out more about CVE-2017-7536 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 6.3
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Management Agent for RHEL 7 Hosts (rhvm-appliance) RHSA-2017:3141 2017-11-07
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2017:2811 2017-09-26
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2017:2811 2017-09-26
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-hibernate-validator) RHSA-2017:2808 2017-09-26
Red Hat JBoss EAP 7 RHSA-2017:2810 2017-09-26
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-hibernate-validator) RHSA-2017:2809 2017-09-26

Affected Packages State

Platform Package State
Red Hat Satellite 6 hibernate-validator Affected
Red Hat OpenShift Enterprise 2 hibernate-validator Will not fix
Red Hat Mobile Application Platform On-Premise 4 hibernate-validator Not affected
Red Hat JBoss Portal Platform 6 hibernate-validator Under investigation
Red Hat JBoss Operations Network 3 hibernate-validator Under investigation
Red Hat JBoss Fuse Service Works 6 hibernate-validator Not affected
Red Hat JBoss Fuse 6 hibernate-validator Under investigation
Red Hat JBoss Enterprise SOA Platform 5 hibernate-validator Not affected
Red Hat JBoss EAP 6 hibernate-validator Not affected
Red Hat JBoss EAP 5 hibernate-validator Under investigation
Red Hat JBoss Data Virtualization 6 hibernate-validator Not affected
Red Hat JBoss Data Grid 7 hibernate-validator Under investigation
Red Hat JBoss Data Grid 6 hibernate-validator Under investigation
Red Hat JBoss BRMS 6 hibernate-validator Not affected
Red Hat JBoss BPMS 6 hibernate-validator Not affected
RHEV-M for Servers hibernate-validator Will not fix
RHEV-M 4.0 eap7-hibernate-validator Affected

Acknowledgements

This issue was discovered by Gunnar Morling (Red Hat).

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.