Bug#1056755: derby: CVE-2022-46337
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 25 21:56:35 GMT 2023
Source: derby
Version: 10.14.2.0-2
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/DERBY-7147
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for derby.
CVE-2022-46337[0]:
| A cleverly devised username might bypass LDAP authentication checks.
| In LDAP-authenticated Derby installations, this could let an
| attacker fill up the disk by creating junk Derby databases. In
| LDAP-authenticated Derby installations, this could also allow the
| attacker to execute malware which was visible to and executable by
| the account which booted the Derby server. In LDAP-protected
| databases which weren't also protected by SQL GRANT/REVOKE
| authorization, this vulnerability could also let an attacker view
| and corrupt sensitive data and run sensitive database functions and
| procedures. Mitigation: Users should upgrade to Java 21 and Derby
| 10.17.1.0. Alternatively, users who wish to remain on older Java
| versions should build their own Derby distribution from one of the
| release families to which the fix was backported: 10.16, 10.15, and
| 10.14. Those are the releases which correspond, respectively, with
| Java LTS versions 17, 11, and 8.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46337
https://www.cve.org/CVERecord?id=CVE-2022-46337
[1] https://issues.apache.org/jira/browse/DERBY-7147
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list