############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Liima - Automation Middleware (AMW) # Vendor: Liima Open Source Project # CSNC ID: CSNC-2022-020 # CVE ID: CVE-2023-26093 # Subject: Hibernate Query Language (HQL) Injection # Risk: High # Effect: Database query injection # Author: Marc Tanner # Date: 2023-01-30 # ############################################################# Introduction ------------ Liima - Automated Middleware allows to manage the configurations of Java EE applications on an unlimited number of different environments with various versions, including the automated deployment of those apps[1,2]. Liima v1.17.27 (and possibly earlier versions) is vulnerable to a Hibernate query language (HQL) injection. Technical Description --------------------- Liima uses the Hibernate ORM library[3] and incorporates user-provided input into HQL queries which are eventually translated to SQL and executed by the underlying database. The `colToSort` URL parameter of the deployment filtering functionality on the following API endpoint is vulnerable to an HQL injection: GET /AMW_rest/resources/deployments/filter?filters=...&colToSort=CASE+WHEN+%281%29+THEN+1+ELSE+0+END&sortDirection=ASC The server responds with: HTTP/1.1 400 Bad Request ... Error org.hibernate.hql.internal.ast.QuerySyntaxException: unexpected AST node: 1 near line 1, column 220 [select d from ch.puzzle.itc.mobiliar.business.deploy.entity.DeploymentEntity d left join fetch d.release left join fetch d.context where ((d.resourceGroup.name like :Applicationserver0 ESCAPE '\' )) order by CASE WHEN (1) THEN 1 ELSE 0 END ASC, d.id desc ] By breaking out of the HQL context[4], it would be possible to execute arbitrary SQL statements and compromise the database. Workaround / Fix ---------------- Upgrade to Liima v1.17.28 or later containing the fix[5]. Timeline -------- 2022-10-07: Discovery by Marc Tanner 2022-10-19: Initial vendor notification 2022-10-27: Initial vendor response 2023-01-03: Release of fixed Version 2023-01-31: Coordinated public disclosure date References ---------- [1] https://www.liima.org/ [2] https://github.com/liimaorg/liima#liima [3] https://hibernate.org/orm/ [4] https://www.sonarsource.com/blog/exploiting-hibernate-injections/ [5] https://github.com/liimaorg/liima/pull/678