[
https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexey Kukushkin updated IGNITE-15241:
--------------------------------------
Description:
Upgrade H2 dependency of the ignite-indexing module to the latest version
1.4.200.
Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version
1.4.197. Black Duck SCA detects these [security
vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
in H2 (see !Ignite-H2-Vulnerabilities.png! :
* *Critical* [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
*Impact Analysis*; This vulnerability is not applicable to the H2 in Ignite
since Ignite does not store data in H2 and thus there can be no H2 backups in
Ignite.
* d !Ignite-H2-Vulnerabilities.png!
We realize all those vulnerabilities are not applicable to H2 in Apache Ignite.
However, our security policies are very formal and require somehow addressing
the security vulnerabilities anyway.
We believe there are lots of other enterprises having the same issue. For
example, there is another issue IGNITE-14381 referencing the same problem.
The latest H2 1.4.200 has no vulnerabilities.
was:
Upgrade H2 dependency of the ignite-indexing module to the latest version
1.4.200.
Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version
1.4.197, which has these two [security
vulnerabilities|https://www.cvedetails.com/vulnerability-list/vendor_id-17893/product_id-45580/year-2018/H2database-H2.html]
[CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/] is regarded as
a critical vulnerability by our analyzer (Black Duck SCA) and makes it
impossible to use Ignite SQL due to security policies. We realize this
vulnerability is probably not even applicable to the H2 in Ignite since there
is no H2 database or H2 backups in Ignite. Still the security policies are very
formal and do not allow that anyway.
We believe there are lots of other enterprises having the same issue. For
example, there is another issue IGNITE-14381 referencing the same problem.
The latest H2 1.4.200 has no vulnerabilities.
> Ignite H2 Security Vulnerabilities
> ----------------------------------
>
> Key: IGNITE-15241
> URL: https://issues.apache.org/jira/browse/IGNITE-15241
> Project: Ignite
> Issue Type: Bug
> Components: sql
> Affects Versions: 2.13
> Reporter: Alexey Kukushkin
> Assignee: Alexey Kukushkin
> Priority: Major
> Labels: cggg
> Attachments: Ignite-H2-Vulnerabilities.png
>
> Original Estimate: 80h
> Remaining Estimate: 80h
>
> Upgrade H2 dependency of the ignite-indexing module to the latest version
> 1.4.200.
> Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version
> 1.4.197. Black Duck SCA detects these [security
> vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
> in H2 (see !Ignite-H2-Vulnerabilities.png! :
> * *Critical* [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
> *Impact Analysis*; This vulnerability is not applicable to the H2 in Ignite
> since Ignite does not store data in H2 and thus there can be no H2 backups in
> Ignite.
> * d !Ignite-H2-Vulnerabilities.png!
> We realize all those vulnerabilities are not applicable to H2 in Apache
> Ignite. However, our security policies are very formal and require somehow
> addressing the security vulnerabilities anyway.
> We believe there are lots of other enterprises having the same issue. For
> example, there is another issue IGNITE-14381 referencing the same problem.
> The latest H2 1.4.200 has no vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
