CVE-2022-46337
published 2023-11-20CVE-2022-46337: A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.42%
69.4th percentile
A cleverly devised username might bypass LDAP authentication checks. In
LDAP-authenticated Derby installations, this could let an attacker fill
up the disk by creating junk Derby databases. In LDAP-authenticated
Derby installations, this could also allow the attacker to execute
malware which was visible to and executable by the account which booted
the Derby server. In LDAP-protected databases which weren't also
protected by SQL GRANT/REVOKE authorization, this vulnerability could
also let an attacker view and corrupt sensitive data and run sensitive
database functions and procedures.
Mitigation:
Users should upgrade to Java 21 and Derby 10.17.1.0.
Alternatively, users who wish to remain on older Java versions should
build their own Derby distribution from one of the release families to
which the fix was backported: 10.16, 10.15, and 10.14. Those are the
releases which correspond, respectively, with Java LTS versions 17, 11,
and 8.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | derby | — | — |
| apache | derby | >= 0 < 10.14.2.0-3 | 10.14.2.0-3 |
| apache | derby | >= 0 < 10.14.2.0-3 | 10.14.2.0-3 |
| apache | derby | >= 10.1.1.0 < 10.14.3.0 | 10.14.3.0 |
| apache | derby | >= 10.15.1.3 < 10.15.2.1 | 10.15.2.1 |
| apache_software_foundation | apache_derby | — | — |
| apache_software_foundation | apache_derby | — | — |
| apache_software_foundation | apache_derby | — | — |
| apache_software_foundation | apache_derby | — | — |
| apache_software_foundation | apache_derby | — | — |
| apache_software_foundation | apache_derby | — | — |
| apache_software_foundation | apache_derby | — | — |
| apache_software_foundation | apache_derby | 10.1.1.0 – 10.1.3.1 | — |
| apache_software_foundation | apache_derby | 10.10.1.1 – 10.10.2.0 | — |
| apache_software_foundation | apache_derby | 10.15.1.3 – 10.15.2.0 | — |
| apache_software_foundation | apache_derby | 10.2.1.6 – 10.2.2.0 | — |
| apache_software_foundation | apache_derby | 10.3.1.4 – 10.3.3.0 | — |
| apache_software_foundation | apache_derby | 10.4.1.3 – 10.4.2.0 | — |
| apache_software_foundation | apache_derby | 10.5.1.1 – 10.5.3.0 | — |
| apache_software_foundation | apache_derby | 10.6.1.0 – 10.6.2.1 | — |
| apache_software_foundation | apache_derby | 10.8.1.2 – 10.8.3.0 | — |
| debian | derby | < derby 10.14.2.0-3 (forky) | derby 10.14.2.0-3 (forky) |
Detection & IOCsextracted from sources · hover to see the quote
- →LDAP authentication bypass via crafted username in Apache Derby; monitor for unexpected Derby database creation (disk fill) or execution of processes under the Derby server account ↗
- →In LDAP-protected Derby deployments without SQL GRANT/REVOKE authorization, watch for unauthorized data access or execution of database functions/procedures by unauthenticated users ↗
- →Exploitable remotely over HTTP with CVSS 9.8; prioritize detection on network-exposed Derby instances using LDAP authentication ↗
- ·Vulnerability only affects Derby installations configured to use LDAP authentication; Derby instances using native or no authentication are not impacted by this specific bypass ↗
- ·Additional SQL GRANT/REVOKE authorization layered on top of LDAP authentication limits the blast radius; databases without this second layer are fully exposed to data access and corruption ↗
- ·Fixed versions are Derby 10.17.1.0 (Java 21), 10.16.x (Java 17), 10.15.x (Java 11), and 10.14.x (Java 8); Debian bookworm and bullseye remain open/unpatched as of advisory publication ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Derby: LDAP injection vulnerability in authenticator
ghsa·2023-11-20
CVE-2022-46337 [CRITICAL] CWE-74 Apache Derby: LDAP injection vulnerability in authenticator
Apache Derby: LDAP injection vulnerability in authenticator
A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures.
Mitigation:
Users should upgrade to Java 21 and Derby 10.17.1.0.
Alternatively, users who wish to remain on older Java versions should build the
OSV
CVE-2022-46337: A cleverly devised username might bypass LDAP authentication checks
osv·2023-11-20·CVSS 9.8
CVE-2022-46337 [CRITICAL] CVE-2022-46337: A cleverly devised username might bypass LDAP authentication checks
A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures. Mitigation: Users should upgrade to Java 21 and Derby 10.17.1.0. Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to wh
OSV
Apache Derby: LDAP injection vulnerability in authenticator
osv·2023-11-20
CVE-2022-46337 [CRITICAL] Apache Derby: LDAP injection vulnerability in authenticator
Apache Derby: LDAP injection vulnerability in authenticator
A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures.
Mitigation:
Users should upgrade to Java 21 and Derby 10.17.1.0.
Alternatively, users who wish to remain on older Java versions should build the
Oracle
Oracle Oracle Commerce Risk Matrix: Workbench (Apache Derby) — CVE-2022-46337
vendor_oracle·2024-10-15·CVSS 9.8
CVE-2022-46337 [CRITICAL] Oracle Oracle Commerce Risk Matrix: Workbench (Apache Derby) — CVE-2022-46337
Oracle Oracle Commerce Risk Matrix: Workbench (Apache Derby) vulnerability
CVE: CVE-2022-46337
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Apache Derby) — CVE-2022-46337
vendor_oracle·2024-04-15·CVSS 9.8
CVE-2022-46337 [CRITICAL] Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Apache Derby) — CVE-2022-46337
Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Apache Derby) vulnerability
CVE: CVE-2022-46337
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2024 (APR 2024)
Debian
CVE-2022-46337: derby - A cleverly devised username might bypass LDAP authentication checks. In LDAP-au...
vendor_debian·2022·CVSS 9.8
CVE-2022-46337 [CRITICAL] CVE-2022-46337: derby - A cleverly devised username might bypass LDAP authentication checks. In LDAP-au...
A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures. Mitigation: Users should upgrade to Java 21 and Derby 10.17.1.0. Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to wh
No detection rules found.
No public exploits indexed.
Qualys
Oracle Critical Patch Update, October 2024 Security Update Review
blogs_qualys·2024-10-16
Oracle Critical Patch Update, October 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle released the last quarterly edition of this year’s Critical Patch Update. The update contains patches for 334 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 100 constituting about 30% of the total patches released. Oracle MySQL and Oracle Fusion Middleware followed, with 45 and 32 security patches, respectively.
244
Qualys
Oracle Critical Patch Security Update: October 2024 | Qualys
blogs_qualys·2024-10-16
Oracle Critical Patch Security Update: October 2024 | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle released the last quarterly edition of this year’s Critical Patch Update. The update contains patches for 334 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 100 constituting about 30% of the total patches released. Oracle MySQL and Oracle Fusion Middleware followed, with 45 and 32 security patches, respectively.
Qualys
Oracle Security Updates, April 2024: Critical Patch | Qualys
blogs_qualys·2024-04-17
Oracle Security Updates, April 2024: Critical Patch | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle released its second quarterly edition of Critical Patch Update, which contains patches for 441 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the second quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 93, constituting about 21% of the total patches released. Oracle Fusion Middleware and Oracle Financial Services Applicat
Qualys
Oracle Patch Update, April 2024 Security Update Review
blogs_qualys·2024-04-17
Oracle Patch Update, April 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle released its second quarterly edition of Critical Patch Update, which contains patches for 441 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the second quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 93, constituting about 21% of the total patches released. Oracle Fusion Middleware and Oracle Financial Services Applications fo
2023-11-20
Published