CVE-2009-4269
First published: Mon Aug 16 2010(Updated: )
Apache Derby could allow a remote attacker to obtain sensitive information, caused by the reduction of the size of the set of inputs to SHA-1 by the password hash generation algorithm managed by the BUILTIN authentication functionality. By generating hash collisions, a remote attacker could exploit this vulnerability to crack passwords and obtain sensitive information.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Derby | <=10.5.3.0 | |
| maven/org.apache.derby:derby | <=10.5.3.01 | 10.6.1.0 |
| <=6.0.2 | ||
| <=7.0 | ||
| <=7.0.1 | ||
| <=7.0.2 | ||
| <=6.0.6.1 | ||
| <=6.0.6 | ||
| <=7.0.1 | ||
| <=7.0.2 | ||
| <=7.0 | ||
| <=7.0.2 | ||
| <=7.0.1 | ||
| <=6.0.2 | ||
| <=6.0.6.1 | ||
| <=7.0 | ||
| <=6.0.6 | ||
| <=All | ||
| <=7.0.2 | ||
| <=6.0.6.1 | ||
| <=7.0.1 | ||
| <=6.0.6 | ||
| <=7.0.0 | ||
| <=6.0.2 | ||
| <=All |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
- http://marcellmajor.com/derbyhash.html
- https://issues.apache.org/jira/browse/DERBY-4483
- http://blogs.sun.com/kah/entry/derby_10_6_1_has
- http://secunia.com/advisories/42970
- http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
- http://www.securityfocus.com/bid/42637
- http://www.vupen.com/english/advisories/2011/0149
- http://www.securitytracker.com/id?1024977
- http://secunia.com/advisories/42948
- http://marc.info/?l=apache-db-general&m=127428514905504&w=1
- https://nvd.nist.gov/vuln/detail/CVE-2009-4269
- https://github.com/apache/derby/commit/178ca0cfb796b5a5788d25ded0978773ea254332
- https://github.com/apache/derby/commit/23f97a597716ee5b08eff698b7177850ad8e1294
- https://github.com/apache/derby/commit/3b82686e32a8d4fa2027350279104f9b243b35d6
- https://github.com/apache/derby/commit/60edeb0cb29daf9d28ece1863db779c1af5a3f62
- https://github.com/apache/derby/commit/8c305e2f3fad1c3a4f98c06c7f2b53e2bfdd308c
- https://github.com/advisories/GHSA-fh32-35w2-rxcc (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/61202
- https://www.ibm.com/support/pages/node/6417585 (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this Apache Derby vulnerability?
The vulnerability ID of this Apache Derby vulnerability is CVE-2009-4269.
What is the severity rating of CVE-2009-4269?
CVE-2009-4269 has a severity rating of 2.1, which is considered low.
How does CVE-2009-4269 impact Apache Derby?
CVE-2009-4269 allows a remote attacker to obtain sensitive information through a reduction in the size of the input set of the password hash generation algorithm.
Which versions of Apache Derby are affected by CVE-2009-4269?
Apache Derby versions up to and including 10.5.3.0 are affected by CVE-2009-4269.
How can I fix CVE-2009-4269?
To fix CVE-2009-4269, it is recommended to update Apache Derby to version 10.6.1.0 or later.
- collector/nvd-historical
- collector/github-advisory-latest
- alias/GHSA-fh32-35w2-rxcc
- alias/CVE-2009-4269
- collector/github-advisory
- collector/nvd-cve
- collector/nvd-index
- agent/author
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/softwarecombine
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache derby
- version/apache derby/10.5.3.0
- package-manager/maven
- vendor/ibm
- canonical/ibm rdng
- version/ibm rdng/6.0.2
- canonical/ibm doors next
- version/ibm doors next/7.0
- version/ibm doors next/7.0.1
- version/ibm doors next/7.0.2
- version/ibm rdng/6.0.6.1
- version/ibm rdng/6.0.6
- canonical/ibm pub
- version/ibm pub/7.0.1
- version/ibm pub/7.0.2
- version/ibm pub/7.0
- canonical/ibm ewm
- version/ibm ewm/7.0.2
- version/ibm ewm/7.0.1
- canonical/ibm rtc
- version/ibm rtc/6.0.2
- version/ibm rtc/6.0.6.1
- version/ibm ewm/7.0
- version/ibm rtc/6.0.6
- canonical/ibm global configuration management
- version/ibm global configuration management/all
- canonical/ibm etm
- version/ibm etm/7.0.2
- canonical/ibm rqm
- version/ibm rqm/6.0.6.1
- version/ibm etm/7.0.1
- version/ibm rqm/6.0.6
- version/ibm etm/7.0.0
- version/ibm rqm/6.0.2
- canonical/ibm engineering requirements quality assistant on-premises
- version/ibm engineering requirements quality assistant on-premises/all