db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bpendle...@apache.org
Subject svn propchange: r1828579 - svn:log
Date Sat, 05 May 2018 15:10:31 GMT
Author: bpendleton
Revision: 1828579
Modified property: svn:log

Modified: svn:log at Sat May  5 15:10:31 2018
------------------------------------------------------------------------------
--- svn:log (original)
+++ svn:log Sat May  5 15:10:31 2018
@@ -1 +1,38 @@
 [RELEASE CHECKIN] Derby release ID set to: 10.14.2.0
+
+CVE-2018-1313: Apache Derby externally-controlled input vulnerability
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Derby 10.3.1.4 to 10.14.1.0
+
+Description:
+A specially-crafted network packet can be used to request the Derby
+Network Server to boot a database whose location and contents are under
+the user's control. If the Derby Network Server is not running with a
+Java Security Manager policy file, the attack is successful. If the
+server is using a policy file, the policy file must permit the
+database location to be read for the attack to work. The default
+Derby Network Server policy file distributed with the affected releases
+includes a permissive policy as the default Network Server policy, which
+allows the attack to work.
+
+Mitigation:
+Users should specify an explicit security policy file, as described here:
+http://db.apache.org/derby/docs/10.14/security/csecjavasecurity.html
+
+Derby release 10.14.2.0 disallows the specially-crafted network packet,
+and also modifies the default Derby Network Server policy file to be
+significantly less permissive (the default file access policy is now
+limited to the derby.system.home directory and the directory from
+which the Derby jar files were loaded). It is still recommended that
+production installations of the Derby Network Server should specify
+an explicit security policy file.
+
+Credit:
+This issue was discovered by Grégory Draperi
+


Mime
View raw message