[tomee] branch main updated: TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)

[rz...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

rzo1 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomee.git


The following commit(s) were added to refs/heads/main by this push:
     new 7b899cdc5d TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)
7b899cdc5d is described below

commit 7b899cdc5dc283e7247754f706183cac8ba89ada
Author: Richard Zowalla <ri...@hs-heilbronn.de>
AuthorDate: Mon Oct 10 14:19:35 2022 +0200

    TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified)
---
 .../src/main/java/org/apache/openejb/loader/SystemInstance.java    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
index f200a16d7f..4f03303afb 100644
--- a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
+++ b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java
@@ -145,6 +145,13 @@ public final class SystemInstance {
         if (getProperty("hsqldb.reconfig_logging") == null) {
             setProperty("hsqldb.reconfig_logging", "false", true);
         }
+
+        // TOMEE-4086
+        // Prevent CVE-2022-41853 by setting hsqldb.method_class_names if it isn't set.
+        // See: https://github.com/advisories/GHSA-77xx-rxvh-q682
+        if (getProperty("hsqldb.method_class_names") == null) {
+            setProperty("hsqldb.method_class_names", "invalid", true);
+        }
     }
 
     public <E> E fireEvent(final E event) {