Apache Derby 'BUILTIN' Authentication Insecure Password Hashing
High Nessus Plugin ID 52536
SynopsisThe remote database server is running software known to be susceptible to brute-forcing of passwords.
DescriptionAccording to its self-reported version number, the installation of Apache Derby running on the remote server performs a transformation on passwords that removes half the bits from most of the characters before hashing. This leads to a large number of hash collisions, letting passwords be easily brute-forced. This vulnerability only affects the BUILTIN authentication method.
Note that Nessus has not tested for the issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Apache Derby 10.6.1.0 or later.