CVE-2017-7536
It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
Find out more about CVE-2017-7536 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 6.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
| Attack Vector | Local |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2017:3458 | 2017-12-13 |
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) | RHSA-2017:3141 | 2017-11-07 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server | RHSA-2018:2742 | 2018-09-24 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2017:2811 | 2017-09-26 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2017:2811 | 2017-09-26 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2018:2741 | 2018-09-24 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-hibernate-validator) | RHSA-2017:2808 | 2017-09-26 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-hibernate-validator) | RHSA-2017:3454 | 2017-12-13 |
| Red Hat JBoss EAP 7 | RHSA-2017:2810 | 2017-09-26 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-hibernate-validator) | RHSA-2017:3455 | 2017-12-13 |
| Red Hat Satellite 6.4 for RHEL 7 | RHSA-2018:2927 | 2018-10-16 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-hibernate-validator) | RHSA-2017:2809 | 2017-09-26 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2017:3458 | 2017-12-13 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server | RHSA-2018:2743 | 2018-09-24 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2018:2740 | 2018-09-24 |
| Red Hat JBoss EAP 7 | RHSA-2017:3456 | 2017-12-13 |
| Red Hat Satellite 6.4 for RHEL 7 | RHSA-2018:2927 | 2018-10-16 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | eap7-hibernate-validator | Will not fix |
| Red Hat Satellite 6 | hibernate-validator | Will not fix |
| Red Hat OpenShift Enterprise 2 | hibernate-validator | Will not fix |
| Red Hat Mobile Application Platform On-Premise 4 | hibernate-validator | Not affected |
| Red Hat JBoss Portal Platform 6 | hibernate-validator | Will not fix |
| Red Hat JBoss Operations Network 3 | hibernate-validator | Will not fix |
| Red Hat JBoss Fuse Service Works 6 | hibernate-validator | Not affected |
| Red Hat JBoss Fuse 7 | camel | Not affected |
| Red Hat JBoss Fuse 6 | camel | Will not fix |
| Red Hat JBoss Enterprise SOA Platform 5 | hibernate-validator | Not affected |
| Red Hat JBoss EAP 5 | hibernate-validator | Will not fix |
| Red Hat JBoss Data Virtualization 6 | hibernate-validator | Not affected |
| Red Hat JBoss Data Grid 7 | hibernate-validator | Will not fix |
| Red Hat JBoss Data Grid 6 | hibernate-validator | Will not fix |
| Red Hat JBoss BRMS 6 | hibernate-validator | Not affected |
| Red Hat JBoss BPMS 6 | hibernate-validator | Not affected |
| RHEV Manager 3 | hibernate-validator | Will not fix |
