Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work. Versions Affected: Derby 10.3.1.4 to 10.14.1.0 References: http://openwall.com/lists/oss-security/2018/05/05/1
Created derby tracking bugs for this issue: Affects: fedora-all [bug 1575641]
Upstream fix for this issue: https://svn.apache.org/viewvc?view=revision&revision=1826467 https://github.com/apache/derby/commit/a2027c64e185a9ce46929f352e2db03371c1f95b This commit includes changes for the following upstream bugs: Network Server COMMAND_TESTCONNECTION need not try to open a database https://issues.apache.org/jira/browse/DERBY-6986 The default Network Server security policy file could be trimmed down somewhat https://issues.apache.org/jira/browse/DERBY-6987 Upstream considers either change to fix this issue: http://openwall.com/lists/oss-security/2018/05/15/3 DERBY-6986 fix seems to be the core fix, as it prevents attacker from being able to force Derby to open attacker-specified database via ping command. Tightening of the default security policy in DERBY-6987 blocks exploitation of the issue. Note that 10.3.1.4 is listed as the first affected version because that version introduced the default security policy: https://svn.apache.org/viewvc/db/derby/code/tags/10.3.1.4/RELEASE-NOTES.html?view=co https://issues.apache.org/jira/browse/DERBY-2196 However, the problem with the ping command may affect earlier versions too, and therefore they should be considered affected as well.