[
https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17542992#comment-17542992
]
Alexey Kukushkin commented on IGNITE-15241:
-------------------------------------------
The [H2's PR 2227|https://github.com/h2database/h2database/pull/2227] really
makes it impossible to upgrade to a newer H2 version where all the
vulnerabilities are addressed.
I see the following options to address the problem:
# None of the vulnerabilities is really applicable to H2 in Apache Ignite due
to specifics of how Ignite uses H2. See the impact analysis in the description
of this JIRA.
This can be used as a justification for appropriate team (DevOps, security) in
the organization to add the H2 modules used by Ignite to the list of exceptions
of the security vulnerabilities scanner.
# H2 module shading: rename the H2 module group or name and replace the
default H2 with the new one. This could be done manually or using the [Apache
Maven Shade Plugin|https://maven.apache.org/plugins/maven-shade-plugin/]. There
is not guarantee that specific security vulnerabilities scanner will not detect
such a trick but most likely it will not and the scan would be clean.
# [Calcite-based SQL
Engine|https://ignite.apache.org/docs/latest/SQL/sql-calcite] was added in
Ignite 2.13. This is an alternative to H2 and H2 could be excluded if the
Calcite-based engine is configured. The Calcite engine is in beta in release
2.13 and the community wants to announce it as production ready in release 2.14
or 2.15. However, there is no guarantee about that and the release dates are
not known at the moment of writing this comment.
However, some application development teams may consider trying the Calcite
engine and it may prove to be stable enough for them, allowing to get rid of
the H2 dependency.
> Ignite H2 Security Vulnerabilities
> ----------------------------------
>
> Key: IGNITE-15241
> URL: https://issues.apache.org/jira/browse/IGNITE-15241
> Project: Ignite
> Issue Type: Bug
> Components: sql
> Affects Versions: 2.13
> Reporter: Alexey Kukushkin
> Assignee: Alexey Kukushkin
> Priority: Major
> Labels: cggg
> Attachments: Ignite-H2-Vulnerabilities.png
>
> Original Estimate: 80h
> Remaining Estimate: 80h
>
> Upgrade H2 dependency of the ignite-indexing module to the latest version
> 1.4.200.
> Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version
> 1.4.197. Black Duck SCA detects these [security
> vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
> in H2:
> !Ignite-H2-Vulnerabilities.png!
> We did preliminary real impact analysis considering how Ignite uses H2:
> * [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> store data in H2 and thus there can be no H2 backups in Ignite.
> * [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> support the {{CREATE ALIAS}} statement
> * [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
> This vulnerability is not applicable to H2 in Ignite since Ignite uses H2
> version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and
> up to 2.0.202.
> * [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/]
> This vulnerability is not applicable to H2 in Ignite since Ignite runs H2
> in embedded mode. H2 cannot be externally exposed in embedded mode. The
> vulnerability could be exploited on the local machine where Ignite is
> running. However, this limits the severity a lot.
> * [CVE-2021-42392|https://www.cvedetails.com/cve/CVE-2021-42392/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> use and does not expose the {{org.h2.util.JdbcUtils.getConnection}} method.
>
> We realize all those vulnerabilities are not applicable to H2 in Apache
> Ignite. However, our security policies are very formal and require somehow
> addressing the security vulnerabilities anyway.
> We believe there are lots of other enterprises having the same issue. For
> example, there is another issue IGNITE-14381 referencing the same problem.
> The latest H2 1.4.200 has no vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
