CVE-2022-46337

A cleverly devised username might bypass LDAP authentication checks. In <br /> LDAP-authenticated Derby installations, this could let an attacker fill <br /> up the disk by creating junk Derby databases. In LDAP-authenticated <br /> Derby installations, this could also allow the attacker to execute <br /> malware which was visible to and executable by the account which booted <br /> the Derby server. In LDAP-protected databases which weren&amp;#39;t also <br /> protected by SQL GRANT/REVOKE authorization, this vulnerability could <br /> also let an attacker view and corrupt sensitive data and run sensitive <br /> database functions and procedures.<br /> <br /> Mitigation:<br /> <br /> Users should upgrade to Java 21 and Derby 10.17.1.0.<br /> <br /> Alternatively, users who wish to remain on older Java versions should <br /> build their own Derby distribution from one of the release families to <br /> which the fix was backported: 10.16, 10.15, and 10.14. Those are the <br /> releases which correspond, respectively, with Java LTS versions 17, 11, <br /> and 8.<br /> <br />