Validator and CVE-2017-7536


#1

I just saw that there is vulnerability CVE-2017-7536 against Validator. According to the link it affects the latest versions of 5.4 and 5.3. Per the releases page 5.4 is a stable (I’m reading that as supported) release, so is a fix planned for 5.4? Or is the only supported branch now 6.0?


#2

This issue has been fixed in Hibernate Validator 5.4.2.Final, which has been released in October 2017.

You should be aware that the issue only makes sense when you are using the security manager so it doesn’t affect a lot of use cases anyway.

That being said, I strongly encourage you to upgrade to the latest and greatest Hibernate Validator 6.0.x, apart from the new features, it’s faster and consumes less memory.


#3

Thanks. You might want to let your security people know so they can have the CVE updated as the CVE says that 5.4.2 is affected as well.

Do you know if 5.3.6 includes a fix too? Again, the CVE says it doesn’t, but since 5.3.6 was released about the same time as 5.4.2 I’m thinking that it does.


#4

To be clear, here are the statuses of the different branches regarding CVE-2017-7536:

  • 5.3: fixed in 5.3.6.Final
  • 5.4: fixed in 5.4.2.Final
  • 6.0: never affected

I’ll try to get the CVE updated.


#5

So… I checked the CVE and basically it is all wrong as it states that 5.2.5.Final is not affected, whereas it is.

So here is the definite reference for the branches:

  • 5.2: affected: up to 5.2.5.Final included; fixed in JBoss EAP, we haven’t released any community versions but the fix is in the master branch
  • 5.3: affected: up to 5.3.5.Final; fixed in 5.3.6.Final
  • 5.4: affected: up to 5.4.1.Final; fixed in 5.4.2.Final
  • 6.0: never affected

@ddillard thanks for reporting the issue with the CVE, I asked for it to be corrected. I hope it will get fixed soon.

Once again, this CVE only concerns people running their applications with the security manager enabled so it should be of no concerns for the vast majority of users.


#6

Hello everyone. From the git hub I have found that 4.3.4.Final version contains the fix for CVE-2017-7536, but there is no such artifact in Maven Central or even JBoss Maven repository. Is this version going to be released? Thanks.


#7

I don’t plan to release it to Central. It’s a very old, unsupported version from the community point of view.

Are you using the security manager? Because if not, this CVE does not affect you.


#8

We use security manager and unfortunately cannot migrate to newer versions. If it is not going to be released to Central can we expect that it will appear in JBoss repository?


#9

To be honest, I only pushed the fix there because it’s part of a still maintained JBoss EAP version.

If you need it, grab the tag and push it to an internal repository. We don’t maintain community versions of versions that are so old.