CVE-2018-1313

Name of the Vulnerable Software and Affected Versions Apache Derby versions 10.3.1.4 through 10.14.1.0

Description The issue is related to insufficient input validation in the Apache Derby database management system. This can be exploited by a remote attacker to impact the integrity of protected information. A specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. The attack's success depends on whether the Derby Network Server is running with a Java Security Manager policy file. If such a policy file is in use, it must permit the database location to be read for the attack to be successful. The default policy file distributed with the affected releases has a permissive policy, allowing the attack to work.

Recommendations For Apache Derby versions 10.3.1.4 through 10.14.1.0, consider implementing a Java Security Manager policy file that restricts database locations to prevent unauthorized access. If a policy file is already in use, review and update it to ensure it does not permit reading of arbitrary database locations. As a temporary workaround, consider restricting access to the Derby Network Server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.