OESA-2023-1924

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1924

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2023-1924.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2023-1924

Upstream

CVE-2022-41853

Published

2023-12-15T11:06:29Z

Modified

2025-08-12T05:15:17.364947Z

Summary

hsqldb security update

Details

HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small (about 100k), fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as a minimal web server, in-memory query and management tools (can be run as applets or servlets, too) and a number of demonstration examples. Downloaded code should be regarded as being of production quality. The product is currently being used as a database and persistence engine in many Open Source Software projects and even in commercial projects and products! In it's current version it is extremely stable and reliable. It is best known for its small size, ability to execute completely in memory and its speed. Yet it is a completely functional relational database management system that is completely free under the Modified BSD License. Yes, that's right, completely free of cost or restrictions!

Security Fix(es):

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.methodclassnames" to classes which are allowed to be called. For example, System.setProperty("hsqldb.methodclassnames", "abc") or Java argument -Dhsqldb.methodclassnames="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.(CVE-2022-41853)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / hsqldb

Package

Name: hsqldb
Purl: pkg:rpm/openEuler/hsqldb&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0-3.oe1

Ecosystem specific

{
    "src": [
        "hsqldb-2.4.0-3.oe1.src.rpm"
    ],
    "noarch": [
        "hsqldb-lib-2.4.0-3.oe1.noarch.rpm",
        "hsqldb-demo-2.4.0-3.oe1.noarch.rpm",
        "hsqldb-2.4.0-3.oe1.noarch.rpm",
        "hsqldb-javadoc-2.4.0-3.oe1.noarch.rpm",
        "hsqldb-manual-2.4.0-3.oe1.noarch.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / hsqldb

Package

Name: hsqldb
Purl: pkg:rpm/openEuler/hsqldb&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0-4.oe1

Ecosystem specific

{
    "src": [
        "hsqldb-2.4.0-4.oe1.src.rpm"
    ],
    "noarch": [
        "hsqldb-lib-2.4.0-4.oe1.noarch.rpm",
        "hsqldb-javadoc-2.4.0-4.oe1.noarch.rpm",
        "hsqldb-2.4.0-4.oe1.noarch.rpm",
        "hsqldb-demo-2.4.0-4.oe1.noarch.rpm",
        "hsqldb-manual-2.4.0-4.oe1.noarch.rpm"
    ]
}

openEuler:22.03-LTS / hsqldb

Package

Name: hsqldb
Purl: pkg:rpm/openEuler/hsqldb&distro=openEuler-22.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0-5.oe2203sp2

Ecosystem specific

{
    "src": [
        "hsqldb-2.4.0-4.oe2203.src.rpm",
        "hsqldb-2.4.0-5.oe2203sp1.src.rpm",
        "hsqldb-2.4.0-5.oe2203sp2.src.rpm"
    ],
    "noarch": [
        "hsqldb-manual-2.4.0-4.oe2203.noarch.rpm",
        "hsqldb-javadoc-2.4.0-4.oe2203.noarch.rpm",
        "hsqldb-2.4.0-4.oe2203.noarch.rpm",
        "hsqldb-demo-2.4.0-4.oe2203.noarch.rpm",
        "hsqldb-lib-2.4.0-4.oe2203.noarch.rpm",
        "hsqldb-lib-2.4.0-5.oe2203sp1.noarch.rpm",
        "hsqldb-javadoc-2.4.0-5.oe2203sp1.noarch.rpm",
        "hsqldb-demo-2.4.0-5.oe2203sp1.noarch.rpm",
        "hsqldb-manual-2.4.0-5.oe2203sp1.noarch.rpm",
        "hsqldb-2.4.0-5.oe2203sp1.noarch.rpm",
        "hsqldb-lib-2.4.0-5.oe2203sp2.noarch.rpm",
        "hsqldb-2.4.0-5.oe2203sp2.noarch.rpm",
        "hsqldb-demo-2.4.0-5.oe2203sp2.noarch.rpm",
        "hsqldb-manual-2.4.0-5.oe2203sp2.noarch.rpm",
        "hsqldb-javadoc-2.4.0-5.oe2203sp2.noarch.rpm"
    ]
}

openEuler:22.03-LTS-SP1 / hsqldb

Package

Name: hsqldb
Purl: pkg:rpm/openEuler/hsqldb&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0-5.oe2203sp1

Ecosystem specific

{
    "src": [
        "hsqldb-2.4.0-5.oe2203sp1.src.rpm"
    ],
    "noarch": [
        "hsqldb-lib-2.4.0-5.oe2203sp1.noarch.rpm",
        "hsqldb-javadoc-2.4.0-5.oe2203sp1.noarch.rpm",
        "hsqldb-demo-2.4.0-5.oe2203sp1.noarch.rpm",
        "hsqldb-manual-2.4.0-5.oe2203sp1.noarch.rpm",
        "hsqldb-2.4.0-5.oe2203sp1.noarch.rpm"
    ]
}

openEuler:22.03-LTS-SP2 / hsqldb

Package

Name: hsqldb
Purl: pkg:rpm/openEuler/hsqldb&distro=openEuler-22.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0-5.oe2203sp2

Ecosystem specific

{
    "src": [
        "hsqldb-2.4.0-5.oe2203sp2.src.rpm"
    ],
    "noarch": [
        "hsqldb-lib-2.4.0-5.oe2203sp2.noarch.rpm",
        "hsqldb-2.4.0-5.oe2203sp2.noarch.rpm",
        "hsqldb-demo-2.4.0-5.oe2203sp2.noarch.rpm",
        "hsqldb-manual-2.4.0-5.oe2203sp2.noarch.rpm",
        "hsqldb-javadoc-2.4.0-5.oe2203sp2.noarch.rpm"
    ]
}