Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager

Salvatore Bonaccorso carnil at debian.org
Mon Jan 8 16:44:47 UTC 2018 

Hi Abhijith, hi Markus
On Mon, Jan 08, 2018 at 04:01:17PM +0100, Markus Koschany wrote:
> Am 08.01.2018 um 13:32 schrieb Abhijith PA:
> > Hello. :)
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1465573#c24 says it affects
> > all 5.x version. But Debian haven't shipped this version yet. And
> > upstream patched files doesn't exist in 4.3.3 (version in Debian sid).
> > So could you please elaborate on how your research find 4.3.3 affected ?
> 
> Hello,
> 
> I also had a look at this bug yesterday and I came to the same
> conclusion. The upstream patch doesn't work for the 4.x branch. I am not
> sure if we are affected at all.

First, take my initial post with the note I have written there. I'm
not too familiar with libhibernate-java, and did the following
inspection. The upstream patch is

https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113

which as you noted, is in the 5.x branch. Looking at 4.3.3-3 in
unstable, and the above it touches private Member getAccessible which
is found in
engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java.

This code is found in unstable

engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java

1418         private Member getAccessible(Member original) {
1419                 if ( ( (AccessibleObject) original ).isAccessible() ) {
1420                         return original;
1421                 }
1422
1423                 Member member = accessibleMembers.get( original );
1424
1425                 if ( member != null ) {
1426                         return member;
1427                 }
1428
1429                 Class<?> clazz = original.getDeclaringClass();

>From my undrstanding, before continuing in 1429, upstream added in the
5.x branch a call to SecurityManager sm =
System.getSecurityManager();, doing the permission check (note that
this has been added newly as file as well in the 5.x branch) and then
continues.

in GetDeclaredField.java, in, GetDeclaredField:

 40         @Override
 41         public Field run() {
 42                 try {
 43                         final Field field = clazz.getDeclaredField( fieldName );
 44                         field.setAccessible( true );
 45                         return field;
 46                 }
 47                 catch ( NoSuchFieldException e ) {
 48                         return null;
 49                 }
 50         }

So the patched files exits, and similar code flow is present.

I explicitly have not looked (yet) at 4.0.2.GA which is in jessie (and
wheezy), just the 4.3.3 based versions in stable and unstable yet.

What do you miss?

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list