CVE-2009-4269 | Vulnerability Database | Aqua Security

The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

Affected Software

Name	Vendor	Start Version	End Version
Derby	Apache	*	10.5.3.0 (including)
Sun-javadb	Ubuntu	esm-apps/xenial	*
Sun-javadb	Ubuntu	hardy	*
Sun-javadb	Ubuntu	jaunty	*
Sun-javadb	Ubuntu	karmic	*
Sun-javadb	Ubuntu	lucid	*
Sun-javadb	Ubuntu	maverick	*
Sun-javadb	Ubuntu	natty	*
Sun-javadb	Ubuntu	oneiric	*
Sun-javadb	Ubuntu	precise	*
Sun-javadb	Ubuntu	quantal	*
Sun-javadb	Ubuntu	raring	*
Sun-javadb	Ubuntu	saucy	*
Sun-javadb	Ubuntu	trusty	*
Sun-javadb	Ubuntu	upstream	*
Sun-javadb	Ubuntu	utopic	*
Sun-javadb	Ubuntu	vivid	*
Sun-javadb	Ubuntu	wily	*
Sun-javadb	Ubuntu	xenial	*
Sun-javadb	Ubuntu	yakkety	*

References

http://blogs.sun.com/kah/entry/derby_10_6_1_has
http://db.apache.org/derby/releases/release-10.6.1.0.cgi#Fix+for+Security+Bug+CVE-2009-4269
http://marc.info/?l=apache-db-general\u0026m=127428514905504\u0026w=1
http://marcellmajor.com/derbyhash.html
http://secunia.com/advisories/42948
http://secunia.com/advisories/42970
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://www.securityfocus.com/bid/42637
http://www.securitytracker.com/id?1024977
http://www.vupen.com/english/advisories/2011/0149
https://issues.apache.org/jira/browse/DERBY-4483

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-4269
CWE	https://cwe.mitre.org/data/definitions/310.html