Bug 1575639 (CVE-2018-1313)

Summary: CVE-2018-1313 derby: Externally-controlled input vulnerability allows remote attacker to boot a database under attacker's control
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akurtako, alazarot, anstephe, chazlett, drieden, etirelli, hghasemb, ibek, krathod, kverlaen, lef, lkundrak, lpetrovi, mat.booth, paradhya, pdrozd, pszubiak, rrajasek, rsynek, rzhang, sdaley, sochotni, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: derby 10.14.2.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-23 21:29:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1575641, 1575642    
Bug Blocks: 1575643    

Description Adam Mariš 2018-05-07 13:53:04 UTC 
Network Server to boot a database whose location and contents are under
the user's control. If the Derby Network Server is not running with a
Java Security Manager policy file, the attack is successful. If the
server is using a policy file, the policy file must permit the
database location to be read for the attack to work. The default
Derby Network Server policy file distributed with the affected releases
includes a permissive policy as the default Network Server policy, which
allows the attack to work.

Versions Affected: Derby 10.3.1.4 to 10.14.1.0

References:

http://openwall.com/lists/oss-security/2018/05/05/1
Comment 1 Adam Mariš 2018-05-07 13:54:11 UTC 
Created derby tracking bugs for this issue:

Affects: fedora-all [bug 1575641]
Comment 3 Tomas Hoger 2018-05-16 21:01:54 UTC 
Upstream fix for this issue:

https://svn.apache.org/viewvc?view=revision&revision=1826467
https://github.com/apache/derby/commit/a2027c64e185a9ce46929f352e2db03371c1f95b

This commit includes changes for the following upstream bugs:

Network Server COMMAND_TESTCONNECTION need not try to open a database
https://issues.apache.org/jira/browse/DERBY-6986

The default Network Server security policy file could be trimmed down somewhat
https://issues.apache.org/jira/browse/DERBY-6987

Upstream considers either change to fix this issue:

http://openwall.com/lists/oss-security/2018/05/15/3

DERBY-6986 fix seems to be the core fix, as it prevents attacker from being able to force Derby to open attacker-specified database via ping command.  Tightening of the default security policy in DERBY-6987 blocks exploitation of the issue.

Note that 10.3.1.4 is listed as the first affected version because that version introduced the default security policy:

https://svn.apache.org/viewvc/db/derby/code/tags/10.3.1.4/RELEASE-NOTES.html?view=co
https://issues.apache.org/jira/browse/DERBY-2196

However, the problem with the ping command may affect earlier versions too, and therefore they should be considered affected as well.