Apache Derby Externally Controlled Input Vulnerability [CVE-2018-1313]
A vulnerability in the Network Server component of Apache Derby could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted system.
The vulnerability is due to improper security restrictions imposed by the affected software. If the Derby Network Server is started without specifying a security manager, the Derby Network Server would install a default Java security manager that enforces a basic policy. An attacker could exploit this vulnerability by sending a crafted packet to the targeted system. A successful exploit could cause the system to boot a database for which the location and contents of the database are under the attacker’s control.
Apache has confirmed the vulnerability and released software updates.
-
To exploit this vulnerability, an attacker must send a crafted network packet to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.
Affected versions of Apache Derby includes a permissive policy as the default Network Server policy, which could aid an attacker in a successful exploit attempt.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators can help protect affected systems from external attacks by using a solid firewall strategy.
Administrators are advised to monitor affected systems.
-
Apache has released a bug report and release notes at the following links: DERBY-6987 and Apache Derby 10.14.20 Release Notes
-
Apache has released software updates at the following link: Apache Derby 10.14.2.0
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.