Apache Derby Information Disclosure Vulnerability Network Vulnerability

Summary

The host is running Apache Derby and is prone to information disclosure vulnerability.

Impact

Successful exploitation will let remote attackers to crack passwords by generating hash collisions. Impact Level: Application

Solution

Upgrade to Apache Derby version 10.6.1.0 or later, For updates refer to http://db.apache.org/derby/derby_downloads.html

Insight

The flaw is due to a weaknesses in the password hash generation algorithm used in Derby to store passwords in the database, performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions.

Affected

Apache Derby versions before 10.6.1.0

References

http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
http://marcellmajor.com/derbyhash.html
https://issues.apache.org/jira/browse/DERBY-4483

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-4269
CVSS Base Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

IBM solidDB Stored Procedure Call Handling Denial of Service Vulnerability
Oracle MySQL Server Multiple Vulnerability-05 Nov12 (Windows)
PostgreSQL Low Cost Function Information Disclosure Vulnerability
MySQL Single Row Subselect Remote DoS
IBM DB2 XML Feature Information Disclosure Vulnerability

Take action and discover your vulnerabilities