[
https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexey Kukushkin updated IGNITE-15241:
--------------------------------------
Description:
Upgrade H2 dependency of the ignite-indexing module to the latest version
1.4.200.
Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version
1.4.197. Black Duck SCA detects these [security
vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
in H2:
!Ignite-H2-Vulnerabilities.png!
We did preliminary real impact analysis considering how Ignite uses H2:
* [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not
store data in H2 and thus there can be no H2 backups in Ignite.
* [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not
support the {{CREATE ALIAS}} statement
* [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
This vulnerability is not applicable to H2 in Ignite since Ignite uses H2
version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and
up to 2.0.202.
* [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/]
We realize all those vulnerabilities are not applicable to H2 in Apache Ignite.
However, our security policies are very formal and require somehow addressing
the security vulnerabilities anyway.
We believe there are lots of other enterprises having the same issue. For
example, there is another issue IGNITE-14381 referencing the same problem.
The latest H2 1.4.200 has no vulnerabilities.
was:
Upgrade H2 dependency of the ignite-indexing module to the latest version
1.4.200.
Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version
1.4.197. Black Duck SCA detects these [security
vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
in H2:
!Ignite-H2-Vulnerabilities.png!
We did preliminary *real* impact analysis considering how Ignite uses H2:
* [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not
store data in H2 and thus there can be no H2 backups in Ignite.
* [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not
support the {{CREATE ALIAS}} statement
* [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
This vulnerability is not applicable to H2 in Ignite since Ignite uses H2
version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and
up to 2.0.202.
*
We realize all those vulnerabilities are not applicable to H2 in Apache Ignite.
However, our security policies are very formal and require somehow addressing
the security vulnerabilities anyway.
We believe there are lots of other enterprises having the same issue. For
example, there is another issue IGNITE-14381 referencing the same problem.
The latest H2 1.4.200 has no vulnerabilities.
> Ignite H2 Security Vulnerabilities
> ----------------------------------
>
> Key: IGNITE-15241
> URL: https://issues.apache.org/jira/browse/IGNITE-15241
> Project: Ignite
> Issue Type: Bug
> Components: sql
> Affects Versions: 2.13
> Reporter: Alexey Kukushkin
> Assignee: Alexey Kukushkin
> Priority: Major
> Labels: cggg
> Attachments: Ignite-H2-Vulnerabilities.png
>
> Original Estimate: 80h
> Remaining Estimate: 80h
>
> Upgrade H2 dependency of the ignite-indexing module to the latest version
> 1.4.200.
> Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version
> 1.4.197. Black Duck SCA detects these [security
> vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
> in H2:
> !Ignite-H2-Vulnerabilities.png!
> We did preliminary real impact analysis considering how Ignite uses H2:
> * [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> store data in H2 and thus there can be no H2 backups in Ignite.
> * [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> support the {{CREATE ALIAS}} statement
> * [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
> This vulnerability is not applicable to H2 in Ignite since Ignite uses H2
> version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and
> up to 2.0.202.
> * [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/]
>
> We realize all those vulnerabilities are not applicable to H2 in Apache
> Ignite. However, our security policies are very formal and require somehow
> addressing the security vulnerabilities anyway.
> We believe there are lots of other enterprises having the same issue. For
> example, there is another issue IGNITE-14381 referencing the same problem.
> The latest H2 1.4.200 has no vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
