[
https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640294#comment-17640294
]
Richard N. Hillegas commented on DERBY-7147:
--------------------------------------------
At a minimum, I think that we need to publish this fix in a 10.16.2 release. If
we stop there, then users will need to upgrade to Java 17 in order to get the
fix. When they do that, they will lose the protections offered by the
deprecated Java SecurityManager.
We could publish 10.15.3 and 10.14.3 releases also in order to cover users who
need to run on Java 8 and Java 11 as well as users who need a SecurityManager.
I don't know how many releases our dwindling community will be willing to vet.
In any event, doc changes have to be made before we cut any releases.
What are your thoughts?
> LDAP injection vulnerability in LDAPAuthenticationImpl
> ------------------------------------------------------
>
> Key: DERBY-7147
> URL: https://issues.apache.org/jira/browse/DERBY-7147
> Project: Derby
> Issue Type: Bug
> Components: JDBC
> Affects Versions: 10.16.1.1
> Reporter: Richard N. Hillegas
> Assignee: Richard N. Hillegas
> Priority: Major
> Attachments: derby-7147-01-aa-reformatForReadability.diff,
> derby-7147-02-aa-escapeLDAPsearchFilter.diff,
> derby-7147-02-ab-escapeLDAPsearchFilter.diff
>
>
> An LDAP injection vulnerability has been identified in
> LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been
> provided, but there is a possibility that an intruder could bypass
> authentication checks in Derby-powered applications which rely on external
> LDAP servers.
> For more information on LDAP injection, see
> https://www.synopsys.com/glossary/what-is-ldap-injection.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
