You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by rz...@apache.org on 2022/10/18 10:00:18 UTC
[tomee] branch main updated: TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)
This is an automated email from the ASF dual-hosted git repository.
rzo1 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomee.git
The following commit(s) were added to refs/heads/main by this push:
new 7b899cdc5d TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)
7b899cdc5d is described below
commit 7b899cdc5dc283e7247754f706183cac8ba89ada
Author: Richard Zowalla <ri...@hs-heilbronn.de>
AuthorDate: Mon Oct 10 14:19:35 2022 +0200
TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)
---
.../src/main/java/org/apache/openejb/loader/SystemInstance.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
index f200a16d7f..4f03303afb 100644
--- a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
+++ b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
@@ -145,6 +145,13 @@ public final class SystemInstance {
if (getProperty("hsqldb.reconfig_logging") == null) {
setProperty("hsqldb.reconfig_logging", "false", true);
}
+
+ // TOMEE-4086
+ // Prevent CVE-2022-41853 by setting hsqldb.method_class_names if it isn't set.
+ // See: https://github.com/advisories/GHSA-77xx-rxvh-q682
+ if (getProperty("hsqldb.method_class_names") == null) {
+ setProperty("hsqldb.method_class_names", "invalid", true);
+ }
}
public <E> E fireEvent(final E event) {