Use a current version of Derby (as supported for the Java version we support).
DERBY-6807 XXE attack possible by using XmlVTI and the XML datatype