You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by rz...@apache.org on 2022/10/10 12:19:50 UTC
[tomee] 02/02: TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)
This is an automated email from the ASF dual-hosted git repository.
rzo1 pushed a commit to branch tomee-8.x
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 286b979044fded5be2a00fff77443d167ca0a82c
Author: Richard Zowalla <ri...@hs-heilbronn.de>
AuthorDate: Mon Oct 10 14:19:35 2022 +0200
TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)
---
.../src/main/java/org/apache/openejb/loader/SystemInstance.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
index f200a16d7f..4f03303afb 100644
--- a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
+++ b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
@@ -145,6 +145,13 @@ public final class SystemInstance {
if (getProperty("hsqldb.reconfig_logging") == null) {
setProperty("hsqldb.reconfig_logging", "false", true);
}
+
+ // TOMEE-4086
+ // Prevent CVE-2022-41853 by setting hsqldb.method_class_names if it isn't set.
+ // See: https://github.com/advisories/GHSA-77xx-rxvh-q682
+ if (getProperty("hsqldb.method_class_names") == null) {
+ setProperty("hsqldb.method_class_names", "invalid", true);
+ }
}
public <E> E fireEvent(final E event) {