Apache Derby Release Notes

Apache Derby

10.14.3 (NES) - March 31, 2025

Notes

• This release originates from the open‑source Derby project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.

Bug Fixes

This release patches the following:

• CVE-2022-46337: Derby before 10.16, 10.15, and 10.14 allows a cleverly devised username to bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server.

Full Version: 10.14.2.0-derby-10.14.3