CVE-2009-4269

Summary

CVE	CVE-2009-4269
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2010-08-16 20:00:00 UTC
Updated	2011-01-26 06:41:00 UTC
Description	The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

Risk And Classification

Problem Types: CWE-310

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Derby	All	All	All	All

References

Reference	Source	Link	Tags
Apache Derby 10.6.1.0 Release	CONFIRM	db.apache.org
Apache Derby 'BUILTIN' Authentication Insecure Password Hashing Vulnerability	BID	www.securityfocus.com
Oracle Critical Patch Update Pre-Release Announcement - January 2011	CONFIRM	www.oracle.com
marcellmajor.com \| 522: Connection timed out	MISC	marcellmajor.com
Oracle Health Sciences - InForm Authentication Scheme Security Issue - Advisories - Community	SECUNIA	secunia.com
'[ANNOUNCE] Apache Derby 10.6.1.0 released' - MARC	MLIST	marc.info
Oracle Industry Applications Bugs Let Remote Users Partially Deny Service, Access Data, and Modify Data - SecurityTracker	SECTRACK	www.securitytracker.com
[DERBY-4483] Provide a way to change the hash algorithm used by BUILTIN authentication - ASF JIRA	CONFIRM	issues.apache.org	Vendor Advisory
Apache Derby "BUILTIN" Authentication Scheme Security Issue - Advisories - Community	SECUNIA	secunia.com
404 Not Found	MISC	blogs.sun.com
Webmail - OVH	VUPEN	www.vupen.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.