Apache Derby CVE-2018-1313 – Externally Controlled Input

Authors:GrégoryDraperi          Risk:Critical

CVE:CVE-2018-1313              0day:Externally Controlled Input   

0day -id:0DAY-176149            Date:2018-05-08

Description

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user’s control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.

Analysis

To exploit this vulnerability, an attacker must send a crafted network packet to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Affected versions of Apache Derby includes a permissive policy as the default Network Server policy, which could aid an attacker in a successful exploit attempt.

Safeguards

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

Administrators are advised to monitor affected systems.

Mitigation

Users should specify an explicit security policy file, as described here: http://db.apache.org/derby/docs/10.14/security/csecjavasecurity.html

Derby release 10.14.2.0 disallows the specially-crafted network packet, and also modifies the default Derby Network Server policy file to be significantly less permissive (the default file access policy is now limited to the derby.system.home directory and the directory from which the Derby jar files were loaded). It is still recommended that production installations of the Derby Network Server should specify an explicit security policy file.

Leave a Reply