This is an automated email from the ASF dual-hosted git repository. rzo1 pushed a commit to branch tomee-8.x in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 286b979044fded5be2a00fff77443d167ca0a82c Author: Richard Zowalla <[email protected]> AuthorDate: Mon Oct 10 14:19:35 2022 +0200 TOMEE-4088 - Add workaround for CVE-2022-41853 by setting hsqldb.method_class_names to an invalid value (if not specified) --- .../src/main/java/org/apache/openejb/loader/SystemInstance.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java index f200a16d7f..4f03303afb 100644 --- a/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java +++ b/container/openejb-loader/src/main/java/org/apache/openejb/loader/SystemInstance.java @@ -145,6 +145,13 @@ public final class SystemInstance { if (getProperty("hsqldb.reconfig_logging") == null) { setProperty("hsqldb.reconfig_logging", "false", true); } + + // TOMEE-4086 + // Prevent CVE-2022-41853 by setting hsqldb.method_class_names if it isn't set. + // See: https://github.com/advisories/GHSA-77xx-rxvh-q682 + if (getProperty("hsqldb.method_class_names") == null) { + setProperty("hsqldb.method_class_names", "invalid", true); + } } public <E> E fireEvent(final E event) {
