Apache Derby Information Disclosure Vulnerability Network Vulnerability

Summary

The host is running Apache Derby and is prone to information disclosure vulnerability.

Impact

Successful exploitation will let remote attackers to crack passwords by generating hash collisions. Impact Level: Application

Solution

Upgrade to Apache Derby version 10.6.1.0 or later, For updates refer to http://db.apache.org/derby/derby_downloads.html

Insight

The flaw is due to a weaknesses in the password hash generation algorithm used in Derby to store passwords in the database, performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions.

Affected

Apache Derby versions before 10.6.1.0

References

http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
http://marcellmajor.com/derbyhash.html
https://issues.apache.org/jira/browse/DERBY-4483

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-4269

CVSS	Base Score: 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

IBM DB2 XML Feature Information Disclosure Vulnerability
IBM DB2 STMM Denial Of Service Vulnerability (Linux)
PostgreSQL Low Cost Function Information Disclosure Vulnerability
MySQL 'ALTER DATABASE' Remote Denial Of Service Vulnerability
Database Open Access Vulnerability

Take action and discover your vulnerabilities