CVE-2018-1313

Vulnerability

Apache Derby versions 10.3.1.4 to 10.14.1.0 (inclusive) contain a vulnerability in the Network Server component. A specially-crafted network packet can be sent to request the server to boot a database whose location and contents are under the attacker's control. The attack succeeds if the server is not running with a Java Security Manager policy file; if a policy file is used, it must permit reading the database location for the attack to work. The default Derby Network Server policy file distributed with affected releases is permissive, allowing the attack by default [1].

Exploitation

The attacker requires network access to the Derby Network Server. No authentication is needed. The attacker sends a crafted network packet to the server, instructing it to boot a database location chosen by the attacker. If the server is not protected by a Java Security Manager policy, the attack succeeds immediately. Even with a policy file, the default policy included in the distribution is permissive enough to allow the attack [1].

Impact

Successful exploitation allows the attacker to boot a database under their control on the server. This can lead to unauthorized data access or arbitrary code execution within the context of the Derby process, depending on the contents of the attacker-supplied database [1].

Mitigation

Apache Derby recommends upgrading to version 10.14.2.1 or later, which addresses this issue. As a workaround, users of affected versions should deploy a restrictive Java Security Manager policy file that limits database boot locations. The default permissive policy should not be used in production environments. No KEV listing is available for this CVE [1].