SCA: security update for org.apache.derby:derby (GHSA-rcjc-c4pj-xxrp)

critical Tenable Self-Hosted Container Security Plugin ID 418665

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby
installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-
authenticated Derby installations, this could also allow the attacker to execute malware which was visible
to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't
also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and
corrupt sensitive data and run sensitive database functions and procedures. Mitigation: Users should
upgrade to Java 21 and Derby 10.17.1.0. Alternatively, users who wish to remain on older Java versions
should build their own Derby distribution from one of the release families to which the fix was
backported: 10.16, 10.15, and 10.14. Those are the releases which correspond, respectively, with Java LTS
versions 17, 11, and 8. (CVE-2022-46337)

See Also

https://github.com/advisories/GHSA-rcjc-c4pj-xxrp

Plugin Details

Severity: Critical

ID: 418665

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.96

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-46337

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/20/2023

Vulnerability Publication Date: 11/20/2023

Reference Information

CVE: CVE-2022-46337