CVE-2017-7536

Impact:
Moderate
Public Date:
2017-09-26
Bugzilla:
1465573: CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager
It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

Find out more about CVE-2017-7536 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 6.3
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2017:3458 2017-12-13
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) RHSA-2017:3141 2017-11-07
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2018:2742 2018-09-24
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2017:2811 2017-09-26
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2017:2811 2017-09-26
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2018:2741 2018-09-24
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-hibernate-validator) RHSA-2017:2808 2017-09-26
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2018:2740 2018-09-24
Red Hat JBoss EAP 7 RHSA-2017:2810 2017-09-26
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-hibernate-validator) RHSA-2017:3455 2017-12-13
Red Hat Satellite 6.4 for RHEL 7 RHSA-2018:2927 2018-10-16
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-hibernate-validator) RHSA-2017:2809 2017-09-26
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2017:3458 2017-12-13
Red Hat JBoss Fuse 6.3 RHSA-2018:3817 2018-12-11
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2018:2743 2018-09-24
Red Hat JBoss A-MQ 6.3 RHSA-2018:3817 2018-12-11
Red Hat JBoss EAP 7 RHSA-2017:3456 2017-12-13
Red Hat Satellite 6.4 for RHEL 7 RHSA-2018:2927 2018-10-16
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-hibernate-validator) RHSA-2017:3454 2017-12-13

Affected Packages State

Platform Package State
Red Hat Virtualization 4 eap7-hibernate-validator Will not fix
Red Hat Satellite 6 hibernate-validator Will not fix
Red Hat OpenShift Enterprise 2 hibernate-validator Will not fix
Red Hat OpenShift Application Runtimes 1.0 swarm Not affected
Red Hat OpenShift Application Runtimes 1.0 springboot Not affected
Red Hat Mobile Application Platform On-Premise 4 hibernate-validator Not affected
Red Hat JBoss Portal Platform 6 hibernate-validator Will not fix
Red Hat JBoss Operations Network 3 hibernate-validator Will not fix
Red Hat JBoss Fuse Service Works 6 hibernate-validator Not affected
Red Hat JBoss Fuse 7 camel Not affected
Red Hat JBoss Enterprise SOA Platform 5 hibernate-validator Not affected
Red Hat JBoss EAP 5 hibernate-validator Will not fix
Red Hat JBoss Data Virtualization 6 hibernate-validator Not affected
Red Hat JBoss Data Grid 7 hibernate-validator Will not fix
Red Hat JBoss Data Grid 6 hibernate-validator Not affected
Red Hat JBoss BRMS 6 hibernate-validator Not affected
Red Hat JBoss BPMS 6 hibernate-validator Not affected
RHEV Manager 3 hibernate-validator Will not fix

Acknowledgements

This issue was discovered by Gunnar Morling (Red Hat).
Last Modified