A new version of Hibernate ORM is available today:
5.4.24.Final, we recommend upgrading your applications.
This release introduces a security fix relating to CVE-2020-25638.
The flaw has been present in Hibernate ORM since many years, so many older versions are affected.
An upgrade is recommended, but if you are using a very old version which makes it difficult to upgrade to the latest supported versions (series 5.4 and 5.3 at time of writing this), you can disable SQL comments by setting:
This property also happens to be disabled by default, so unless you had it enabled explicitly you are not affected.
If you’re running Hibernate ORM from series 5.3.x, you might prefer to use version
5.3.20.Final instead, which also includes the fix for this CVE.
In addition to the security fix the release introduces :
A fix for the NPE thrown when an Entity
Ahas a map collection having an Embeddable with an association to
Aas index (HHH-14257).
An improvement that permits to use a query hint to specify the table names to which a native query refers. During the auto flush, Hibernate will check whether there are pending operation affected by those tables, and if so automatically flush those changes. When the native query performs an update or delete operation, the table names are also used to determine if any second level cache region is affected and then need to be invalidated (HHH-14325).
Bytecode enhanced entities wouldn’t always detect dirty state correctly for mutable embeddable types (HHH-14329).
Pessimistic locking modes could trigger an invalid
FOR UPDATEclause on outer joins statements (HHH-14333).
Padded batch style entity loaders were not compatible with entity graph load influencers (HHH-14312).
Easier to define affected Query Spaces for native queries (HHH-14325).
All details are available and up to date on the dedicated page on hibernate.org.