Apache Derby Vulnerability Let Attackers Bypass Authentication with LDAP Injection 

A critical security vulnerability (CVE-2022-46337) in Apache Derby, an open-source relational database implemented entirely in Java, has exposed systems to authentication bypass attacks via LDAP injection. 

The flaw, rated with a CVSS score of 9.1, enables attackers to craft malicious usernames that circumvent LDAP authentication checks, potentially granting unauthorized access to sensitive data and database functions.

The vulnerability stems from improper neutralization of special elements in LDAP queries (CWE-74), a common injection flaw that occurs when user inputs are not sanitized before being processed by downstream components. 

In Apache Derby installations configured to use LDAP for authentication, attackers can exploit this weakness by submitting a specially designed username.

Apache Derby Vulnerability

This input manipulates the structure of the LDAP query, effectively bypassing credential verification.

Successful exploitation allows adversaries to:

• Create arbitrary databases to exhaust disk space
• Execute malicious code with the privileges of the Derby server process
• Access, modify, or exfiltrate sensitive data in databases lacking SQL GRANT/REVOKE authorization safeguards
• Invoke privileged database functions and procedures

The vulnerability explicitly impacts Apache Derby versions 10.1.1.0 through 10.14.3.0, 10.15.1.3 through 10.15.2.1, and 10.16.1.1. 

Additionally, IBM products bundling vulnerable Derby versions—including TXSeries for Multiplatforms (versions 8.1, 8.2, 9.1, 10.1) and Spectrum Control (5.4.0–5.4.11)—affect them.

Mitigations

Apache Software Foundation recommends upgrading to Derby 10.17.1.0 paired with Java 21 for comprehensive protection. 

Organizations unable to migrate immediately can backport security fixes to Derby release families 10.16, 10.15, and 10.14, which align with Java LTS versions 17, 11, and 8, respectively.

IBM has released patches for its affected products:

• TXSeries for Multiplatforms 9.1/10.1: Apply fixes via IBM Fix Central.
• TXSeries 8.1/8.2: Extended support customers must request patches through Salesforce cases.
• Spectrum Control 5.4.x: Upgrade to version 5.4.12 and manually remove vulnerable derby.jar/derbytools.jar files.

Notably, IBM Business Automation Workflow Containers (v23.0.2) include Derby but remain unaffected in supported configurations, as the component doesn’t interact with LDAP in production workflows.

As LDAP remains a cornerstone of enterprise authentication systems, rigorous input validation and query parameterization remain critical defenses against injection attacks.

IBM’s proactive issuance of fixes for legacy TXSeries versions (8.1/8.2) demonstrates the vulnerability’s severity, though extended support requirements may complicate remediation for some enterprises.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post Apache Derby Vulnerability Let Attackers Bypass Authentication with LDAP Injection  appeared first on Cyber Security News.