#VU12420 Security restrictions bypass in Apache Derby


Published: 2018-05-08 | Updated: 2018-05-08

Vulnerability identifier: #VU12420

Vulnerability risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1313

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Derby
Server applications / Database software

Vendor: Apache Foundation

Description
The vulnerability allows a remote unauthenticated attacker to bypass security restrictions to the target system.

The weakness exists in the Network Server component due to improper security restrictions. If the Derby Network Server is started without specifying a security manager, the Derby Network Server will install a default Java security manager that enforces a basic policy. A remote attacker can send a specially crafted packet and cause the system to boot a database for which the location and contents of the database are under the attacker's control.

Mitigation
Update to version 10.14.2.0.

Vulnerable software versions

Apache Derby: 10.3.1.4 - 10.14.1.0


External links
http://issues.apache.org/jira/browse/DERBY-6987
http://db.apache.org/derby/releases/release-10.14.2.0.cgi


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability