Apache Derby 'BUILTIN' Authentication Insecure Password Hashing

high Nessus Plugin ID 52536

Synopsis

The remote database server is running software known to be susceptible to brute-forcing of passwords.

Description

According to its self-reported version number, the installation of Apache Derby running on the remote server performs a transformation on passwords that removes half the bits from most of the characters before hashing. This leads to a large number of hash collisions, letting passwords be easily brute-forced. This vulnerability only affects the BUILTIN authentication method.

Note that Nessus has not tested for the issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Derby 10.6.1.0 or later.

See Also

https://issues.apache.org/jira/browse/DERBY-4483

http://db.apache.org/derby/releases/release-10.6.1.0.html

http://marcellmajor.com/derbyhash.html

Plugin Details

Severity: High

ID: 52536

File Name: derby_10_6_1_0.nasl

Version: 1.5

Type: remote

Family: Databases

Published: 3/3/2011

Updated: 7/10/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Patch Publication Date: 5/19/2010

Vulnerability Publication Date: 12/18/2009

Reference Information

CVE: CVE-2009-4269

BID: 42637

Secunia: 42948