[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17822865#comment-17822865 ] Richard N. Hillegas commented on DERBY-7147: "It is showing as affected from "10.1.1.0 Up to (excluding) 10.17.1.0" This is, technically, an accurate statement about the OFFICIAL derby releases. You must build your own UNOFFICIAL release if you need a fix-bearing set of Derby jars which run on Java LTS versions 8, 11, or 17. Your processes may need some work in order to accommodate unofficial software distributions. > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17822752#comment-17822752 ] Mrudula Madiraju commented on DERBY-7147: - Hi [~rhillegas] - I guess our scanners report it because it shows up in the NVD [https://nvd.nist.gov/vuln/detail/CVE-2022-46337] It is showing as affected from "10.1.1.0 Up to (excluding) 10.17.1.0" If you are able to correct this as well, I _guess_ our scanners will be happy > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17822674#comment-17822674 ] Richard N. Hillegas commented on DERBY-7147: I have verified that the fix has been applied to the head of the 10.14 branch: https://svn.apache.org/repos/asf/db/derby/code/branches/10.14 You can verify this yourself by looking for the string "DERBY-7147" in https://svn.apache.org/repos/asf/db/derby/code/branches/10.14/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java There is no branch named 10.14.3. Branch names are two part ids which have the form majorNumber.minorNumber. To build a fix-bearing release off the head of the 10.14 branch, see the instructions in my comment dated 2024-01-24. Substitute "10.14" for every occurrence of "10.16" in those instructions. > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17822505#comment-17822505 ] ajay kumar commented on DERBY-7147: --- [~rhillegas] /[~julienlau] Can you please point me to the source code branch for 10.14.3 , which is having this fix . As this version is not released yet but I will build it my own from source code. The branch url that I could find out is having (10.14.2.1) which does not have that fix . [https://svn.apache.org/repos/asf/db/derby/code/branches/10.14/] And any idea by when 10.14.3 would be released and available on maven central ? > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17805250#comment-17805250 ] Richard N. Hillegas commented on DERBY-7147: No one has volunteered to manage a fix-bearing release built off the 10.16 branch. As stated above in previous comments, you will need to build your own 10.16 jar files. Instructions for building 10.16 can be found here: https://svn.apache.org/repos/asf/db/derby/code/branches/10.16/BUILDING.html You will need the Derby source from the head of the 10.16 branch: https://svn.apache.org/repos/asf/db/derby/code/branches/10.16/ Subversion is the tool you will need to grab that source. > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17805057#comment-17805057 ] Laurenceau Julien commented on DERBY-7147: -- I cannot find the derby fixed version 10.16.1.2 on maven central. Any release planned please ? > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17802280#comment-17802280 ] Richard N. Hillegas commented on DERBY-7147: I have checked the head of the 10.14 branch and verified that the fix was applied there. I recently updated the Apache CVE website to include more detailed version ranges. Those changes are now reflected at https://www.cve.org/CVERecord?id=CVE-2022-46337 I cannot speculate about why your scanners are raising this alarm. > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17802150#comment-17802150 ] gmlake commented on DERBY-7147: --- Hello team, I got same problem - Twistlock tool and Aquasec tool still report CVE-2022-46337 on v10.14.3.0 when I built v10.14.3.0 according to instructions(LDAPauthenticationVulnerability.pdf) On https://nvd.nist.gov/vuln/detail/CVE-2022-46337, Under 'Known Affected Software Configurations' >From (including): 10.1.1.0 Up to (excluding): 10.17.1.0 I think it is because 10.1.1.0 <= 10.14.3.0 < 10.17.1.0, so scan tools still report CVE-2022-46337 for 10.14.3.0. Is it possible that your team help to update the https://nvd.nist.gov/vuln/detail/CVE-2022-46337 to exclude the v10.14.3.0 ? > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17802070#comment-17802070 ] Mrudula Madiraju commented on DERBY-7147: - Hello team, This is showing up as a vulnerability in our scans even if we have built our own derby jars with the fix and creating a jar with version 10.14.3.0. How can fix this issue with scanners? > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17799918#comment-17799918 ] Richard N. Hillegas commented on DERBY-7147: I am mystified by the high rating which NVD analysts gave to this minor security issue: https://nvd.nist.gov/vuln/detail/CVE-2022-46337 There are no plans to produce patch-bearing official releases for LTS Java versions 8, 11, or 17. Users who must remain on those Java versions will need to build their own Derby jars from, respectively, the heads of the 10.14, 10.15, and 10.16 branches. > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17799793#comment-17799793 ] Susmit Sarkar commented on DERBY-7147: -- We are in JDK 11, when can we expect an official released version, concern is CVE-2022-46337 having a rating score of 9.8 > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17799544#comment-17799544 ] Richard N. Hillegas commented on DERBY-7147: The patch was backported to the 10.16, 10.15, and 10.14 branches, which correspond, respectively with LTS Java versions 17, 11, and 8. For those branches and Java versions, no one has volunteered to manage an official release which includes this fix. > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[
https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17799501#comment-17799501
]
Florian Kolbe commented on DERBY-7147:
--
{quote}
The patch has been backported to the 10.14 branch. If you build Derby jars from
the head of that branch, you will have a version of Derby which includes the
fix and which runs on Java 8.
{quote}
why can't Apache release an official version for 10.14 !? Is one expected to
build it yourself?
How would a vulnerability database react to such a version?
https://issues.apache.org/jira/projects/DERBY/versions/12343242
> LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
>
>
> Key: DERBY-7147
> URL: https://issues.apache.org/jira/browse/DERBY-7147
> Project: Derby
> Issue Type: Bug
> Components: JDBC
>Affects Versions: 10.16.1.1
>Reporter: Richard N. Hillegas
>Assignee: Richard N. Hillegas
>Priority: Major
> Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0
>
> Attachments: LDAPauthenticationVulnerability.pdf,
> derby-7147-01-aa-reformatForReadability.diff,
> derby-7147-02-aa-escapeLDAPsearchFilter.diff,
> derby-7147-02-ab-escapeLDAPsearchFilter.diff,
> derby-7147-03-aa-updateLDAPinstructions.diff,
> derby-7147-03-aa-updateLDAPinstructions.tar,
> derby-7147-03-ab-updateLDAPinstructions.diff,
> derby-7147-03-ab-updateLDAPinstructions.tar,
> derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html
>
>
> An LDAP injection vulnerability has been identified in
> LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been
> provided, but there is a possibility that an intruder could bypass
> authentication checks in Derby-powered applications which rely on external
> LDAP servers.
> For more information on LDAP injection, see
> https://www.synopsys.com/glossary/what-is-ldap-injection.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17797959#comment-17797959 ] Richard N. Hillegas commented on DERBY-7147: The patch has been backported to the 10.14 branch. If you build Derby jars from the head of that branch, you will have a version of Derby which includes the fix and which runs on Java 8. > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17797952#comment-17797952 ] Izek Greenfield commented on DERBY-7147: [~rhillegas] Is there a version for JDK 1.8 ? > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17786963#comment-17786963 ] Richard N. Hillegas commented on DERBY-7147: Attaching LDAPauthenticationVulnerability.pdf, the original description of the vulnerability. > LDAP injection vulnerability in LDAPAuthenticationSchemeImpl > > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0 > > Attachments: LDAPauthenticationVulnerability.pdf, > derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar, > derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
