CVE-2022-41853: Hsqldb HyperSQL Database RCE Vulnerability

CVE-2022-41853 Overview

CVE-2022-41853 is a critical remote code execution vulnerability affecting HyperSQL Database (HSQLDB). Applications using java.sql.Statement or java.sql.PreparedStatement to process untrusted input are vulnerable to arbitrary code execution. By default, HSQLDB allows calling any static method of any Java class in the classpath, enabling attackers to execute malicious code through crafted SQL statements.

Critical Impact

Attackers can achieve full remote code execution on affected systems by exploiting the default permissive configuration that allows unrestricted static method invocation from SQL queries.

Affected Products

• HSQLDB HyperSQL Database (versions prior to 2.7.1)
• Debian Linux 10.0
• Debian Linux 11.0

Discovery Timeline

• 2022-10-06 - CVE CVE-2022-41853 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-41853

Vulnerability Analysis

This vulnerability stems from HSQLDB's permissive default configuration for Java method invocation within SQL queries. The database engine provides functionality that allows SQL statements to call static Java methods directly. Prior to version 2.7.1, no restrictions were placed on which classes or methods could be invoked, meaning any static method from any class in the application's classpath was accessible through SQL queries.

When an application processes untrusted user input through java.sql.Statement or java.sql.PreparedStatement without proper sanitization, an attacker can craft malicious SQL queries that invoke dangerous Java methods. This could include methods for executing system commands, reading/writing files, or establishing network connections—effectively granting complete control over the system running the vulnerable application.

Root Cause

The root cause is classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code). HSQLDB's architecture permits SQL-to-Java method calls as a feature, but the default configuration prior to version 2.7.1 placed no restrictions on which classes could be accessed. This design decision assumed trusted input sources, creating a significant security gap when applications exposed this functionality to untrusted data.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted SQL queries to an application that uses HSQLDB for data processing. The malicious queries leverage HSQLDB's capability to call Java static methods, targeting dangerous methods available in the classpath.

The exploitation typically involves constructing SQL statements that invoke methods capable of executing arbitrary system commands. Since the vulnerability requires only the ability to submit SQL queries that reach the database processing layer, web applications, APIs, or any network-accessible service using HSQLDB for untrusted input processing are at risk.

Detection Methods for CVE-2022-41853

Indicators of Compromise

• Unusual SQL queries containing Java class references or method invocations in database logs
• Unexpected process spawning from Java/HSQLDB application processes
• Network connections initiated from database-hosting systems to unknown external addresses
• File system modifications in sensitive directories originating from the HSQLDB process

Detection Strategies

• Monitor SQL query logs for patterns containing Java method invocation syntax such as CALL statements with fully qualified class names
• Implement application-layer SQL query analysis to detect attempts to invoke Java methods through database queries
• Deploy runtime application self-protection (RASP) solutions to detect and block malicious method invocations
• Use SentinelOne Singularity to detect post-exploitation behaviors including suspicious process execution chains

Monitoring Recommendations

• Enable verbose SQL logging in HSQLDB to capture all executed queries for forensic analysis
• Configure alerts for unusual outbound network connections from systems running HSQLDB
• Monitor Java process behavior for execution of child processes or shell commands
• Implement database activity monitoring (DAM) solutions to track and analyze SQL statement patterns

How to Mitigate CVE-2022-41853

Immediate Actions Required

• Upgrade HSQLDB to version 2.7.1 or later immediately where the vulnerability is patched by default
• If immediate upgrade is not possible, set the hsqldb.method_class_names system property to restrict accessible classes
• Audit all applications using HSQLDB to identify those processing untrusted input
• Implement input validation and parameterized queries as defense-in-depth measures

Patch Information

The vulnerability is addressed in HSQLDB version 2.7.1. In this patched version, all classes are inaccessible by default except those in java.lang.Math. Applications requiring access to additional classes must explicitly enable them. Organizations should prioritize upgrading to this version or later. For additional guidance, refer to the HSQLDB Access Control Documentation. Debian users should apply updates from Debian Security Advisory DSA-5313 or the Debian LTS Announcement.

Workarounds

• Set the system property hsqldb.method_class_names to restrict method access (e.g., System.setProperty("hsqldb.method_class_names", "abc"))
• Pass the Java argument -Dhsqldb.method_class_names="abc" at application startup to limit accessible classes
• Implement network segmentation to restrict access to systems running vulnerable HSQLDB instances
• Deploy web application firewalls (WAF) with rules to detect and block SQL injection attempts targeting Java method invocation

# Configuration example - Restrict HSQLDB method access via JVM argument
java -Dhsqldb.method_class_names="java.lang.Math" -jar your-application.jar

# Alternative: Set system property programmatically before database initialization
# System.setProperty("hsqldb.method_class_names", "java.lang.Math");