[jira] [Closed] (IGNITE-15241) Ignite H2 Security Vulnerabilities

[Alexey Kukushkin (Jira)]

     [ 
https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexey Kukushkin closed IGNITE-15241.
-------------------------------------
    Ignite Flags:   (was: Docs Required,Release Notes Required)

> Ignite H2 Security Vulnerabilities
> ----------------------------------
>
>                 Key: IGNITE-15241
>                 URL: https://issues.apache.org/jira/browse/IGNITE-15241
>             Project: Ignite
>          Issue Type: Bug
>          Components: sql
>    Affects Versions: 2.13
>            Reporter: Alexey Kukushkin
>            Assignee: Alexey Kukushkin
>            Priority: Major
>              Labels: cggg
>         Attachments: Ignite-H2-Vulnerabilities.png
>
>   Original Estimate: 80h
>  Remaining Estimate: 80h
>
> Upgrade H2 dependency of the ignite-indexing module to the latest version 
> 1.4.200.
> Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version 
> 1.4.197. Black Duck SCA detects these [security 
> vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
>  in H2: 
> !Ignite-H2-Vulnerabilities.png!
> We did preliminary real impact analysis considering how Ignite uses H2:
> * [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/] 
>   This vulnerability is not applicable to H2 in Ignite since Ignite does not 
> store data in H2 and thus there can be no H2 backups in Ignite.
> * [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
>   This vulnerability is not applicable to H2 in Ignite since Ignite does not 
> support the {{CREATE ALIAS}} statement
> * [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
>   This vulnerability is not applicable to H2 in Ignite since Ignite uses H2 
> version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and 
> up to 2.0.202.
> * [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/]
>   This vulnerability is not applicable to H2 in Ignite since Ignite runs H2 
> in embedded mode. H2 cannot be externally exposed in embedded mode. The 
> vulnerability could be exploited on the local machine where Ignite is 
> running. However, this limits the severity a lot.
> * [CVE-2021-42392|https://www.cvedetails.com/cve/CVE-2021-42392/]
>   This vulnerability is not applicable to H2 in Ignite since Ignite does not 
> use and does not expose the {{org.h2.util.JdbcUtils.getConnection}} method.
>   
> We realize all those vulnerabilities are not applicable to H2 in Apache 
> Ignite. However, our security policies are very formal and require somehow 
> addressing the security vulnerabilities anyway.
> We believe there are lots of other enterprises having the same issue. For 
> example, there is another issue IGNITE-14381 referencing the same problem.
> The latest H2 1.4.200 has no vulnerabilities.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)