CVE-2018-1313
First published: Mon May 07 2018(Updated: )
Apache Derby could allow a remote attacker to bypass security restrictions, caused by improper validation of network packets received. By sending a specially-crafted network packet, an attacker could exploit this vulnerability to boot a database whose location and contents are under the user's control.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Derby | >=10.3.1.4<=10.14.1.0 | |
| Oracle WebLogic Server | =12.2.1.3 | |
| IBM RDNG | <=6.0.2 | |
| IBM DOORS Next | <=7.0 | |
| IBM DOORS Next | <=7.0.1 | |
| IBM DOORS Next | <=7.0.2 | |
| IBM RDNG | <=6.0.6.1 | |
| IBM RDNG | <=6.0.6 | |
| IBM Pub | <=7.0.1 | |
| IBM Pub | <=7.0.2 | |
| IBM Pub | <=7.0 | |
| IBM EWM | <=7.0.2 | |
| IBM EWM | <=7.0.1 | |
| IBM RTC | <=6.0.2 | |
| IBM RTC | <=6.0.6.1 | |
| IBM EWM | <=7.0 | |
| IBM RTC | <=6.0.6 | |
| IBM Global Configuration Management | <=All | |
| IBM ETM | <=7.0.2 | |
| IBM RQM | <=6.0.6.1 | |
| IBM ETM | <=7.0.1 | |
| IBM RQM | <=6.0.6 | |
| IBM ETM | <=7.0.0 | |
| IBM RQM | <=6.0.2 | |
| IBM Engineering Requirements Quality Assistant On-Premises | <=All |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/104140
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r437d94437e6aef31af689b1e7025d024d676fd1ea9901d74e3e9ae48@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6755f48d4f5e44e39bba7dbf8d746678239d7f1f2cc108125519ce53@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/re29ab90978e6c997377fb975f674f7514f6beb642bbf79deb45477e5@%3Cdev.hive.apache.org%3E
- https://markmail.org/message/akkappppxcdqrgxk
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/142898
- https://www.ibm.com/support/pages/node/6417585 (Advisory)
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/re29ab90978e6c997377fb975f674f7514f6beb642bbf79deb45477e5%40%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/r437d94437e6aef31af689b1e7025d024d676fd1ea9901d74e3e9ae48%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6755f48d4f5e44e39bba7dbf8d746678239d7f1f2cc108125519ce53%40%3Cissues.hive.apache.org%3E
Frequently Asked Questions
What is CVE-2018-1313?
CVE-2018-1313 is a vulnerability in Apache Derby that could allow a remote attacker to bypass security restrictions.
What is the severity of CVE-2018-1313?
The severity of CVE-2018-1313 is rated as high with a CVSS score of 7.5.
Which software versions are affected by CVE-2018-1313?
CVE-2018-1313 affects Apache Derby versions 10.3.1.4 to 10.14.1.0.
How can the vulnerability be exploited?
A specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the attacker's control.
Is there a fix available for CVE-2018-1313?
Yes, upgrading to a version of Apache Derby that is not affected by the vulnerability is recommended.
- collector/nvd-index
- agent/remedy
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/event
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache derby
- version/apache derby/10.3.1.4
- version/apache derby/10.14.1.0
- vendor/oracle
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3
- vendor/ibm
- canonical/ibm rdng
- version/ibm rdng/6.0.2
- canonical/ibm doors next
- version/ibm doors next/7.0
- version/ibm doors next/7.0.1
- version/ibm doors next/7.0.2
- version/ibm rdng/6.0.6.1
- version/ibm rdng/6.0.6
- canonical/ibm pub
- version/ibm pub/7.0.1
- version/ibm pub/7.0.2
- version/ibm pub/7.0
- canonical/ibm ewm
- version/ibm ewm/7.0.2
- version/ibm ewm/7.0.1
- canonical/ibm rtc
- version/ibm rtc/6.0.2
- version/ibm rtc/6.0.6.1
- version/ibm ewm/7.0
- version/ibm rtc/6.0.6
- canonical/ibm global configuration management
- version/ibm global configuration management/all
- canonical/ibm etm
- version/ibm etm/7.0.2
- canonical/ibm rqm
- version/ibm rqm/6.0.6.1
- version/ibm etm/7.0.1
- version/ibm rqm/6.0.6
- version/ibm etm/7.0.0
- version/ibm rqm/6.0.2
- canonical/ibm engineering requirements quality assistant on-premises
- version/ibm engineering requirements quality assistant on-premises/all