[
https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexey Kukushkin updated IGNITE-15241:
--------------------------------------
Description:
Upgrade H2 dependency of the ignite-indexing module to the latest version
1.4.200.
Apache Ignite SQL (module {{{}ignite-indexing{}}}) depends on H2 database
version 1.4.197. Black Duck SCA detects these [security
vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
in H2:
!Ignite-H2-Vulnerabilities.png!
We did preliminary real impact analysis considering how Ignite uses H2:
* [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not
store data in H2 and thus there can be no H2 backups in Ignite.
* [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not
support the {{CREATE ALIAS}} statement
* [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
This vulnerability is not applicable to H2 in Ignite since Ignite uses H2
version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and
up to 2.0.202.
* [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/]
This vulnerability is not applicable to H2 in Ignite since Ignite runs H2 in
embedded mode. H2 cannot be externally exposed in embedded mode. The
vulnerability could be exploited on the local machine where Ignite is running.
However, this limits the severity a lot.
* [CVE-2021-42392|https://www.cvedetails.com/cve/CVE-2021-42392/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not use
and does not expose the {{org.h2.util.JdbcUtils.getConnection}} method.
We realize all those vulnerabilities are not applicable to H2 in Apache Ignite.
However, our security policies are very formal and require somehow addressing
the security vulnerabilities anyway.
We believe there are lots of other enterprises having the same issue. For
example, there is another issue IGNITE-14381 referencing the same problem.
was:
Upgrade H2 dependency of the ignite-indexing module to the latest version
1.4.200.
Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version
1.4.197. Black Duck SCA detects these [security
vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
in H2:
!Ignite-H2-Vulnerabilities.png!
We did preliminary real impact analysis considering how Ignite uses H2:
* [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not
store data in H2 and thus there can be no H2 backups in Ignite.
* [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not
support the {{CREATE ALIAS}} statement
* [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
This vulnerability is not applicable to H2 in Ignite since Ignite uses H2
version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and
up to 2.0.202.
* [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/]
This vulnerability is not applicable to H2 in Ignite since Ignite runs H2 in
embedded mode. H2 cannot be externally exposed in embedded mode. The
vulnerability could be exploited on the local machine where Ignite is running.
However, this limits the severity a lot.
* [CVE-2021-42392|https://www.cvedetails.com/cve/CVE-2021-42392/]
This vulnerability is not applicable to H2 in Ignite since Ignite does not
use and does not expose the {{org.h2.util.JdbcUtils.getConnection}} method.
We realize all those vulnerabilities are not applicable to H2 in Apache Ignite.
However, our security policies are very formal and require somehow addressing
the security vulnerabilities anyway.
We believe there are lots of other enterprises having the same issue. For
example, there is another issue IGNITE-14381 referencing the same problem.
The latest H2 1.4.200 has no vulnerabilities.
> Ignite H2 Security Vulnerabilities
> ----------------------------------
>
> Key: IGNITE-15241
> URL: https://issues.apache.org/jira/browse/IGNITE-15241
> Project: Ignite
> Issue Type: Bug
> Components: sql
> Affects Versions: 2.13
> Reporter: Alexey Kukushkin
> Assignee: Alexey Kukushkin
> Priority: Major
> Labels: cggg
> Attachments: Ignite-H2-Vulnerabilities.png
>
> Original Estimate: 80h
> Remaining Estimate: 80h
>
> Upgrade H2 dependency of the ignite-indexing module to the latest version
> 1.4.200.
> Apache Ignite SQL (module {{{}ignite-indexing{}}}) depends on H2 database
> version 1.4.197. Black Duck SCA detects these [security
> vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
> in H2:
> !Ignite-H2-Vulnerabilities.png!
> We did preliminary real impact analysis considering how Ignite uses H2:
> * [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> store data in H2 and thus there can be no H2 backups in Ignite.
> * [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> support the {{CREATE ALIAS}} statement
> * [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
> This vulnerability is not applicable to H2 in Ignite since Ignite uses H2
> version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and
> up to 2.0.202.
> * [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/]
> This vulnerability is not applicable to H2 in Ignite since Ignite runs H2 in
> embedded mode. H2 cannot be externally exposed in embedded mode. The
> vulnerability could be exploited on the local machine where Ignite is
> running. However, this limits the severity a lot.
> * [CVE-2021-42392|https://www.cvedetails.com/cve/CVE-2021-42392/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> use and does not expose the {{org.h2.util.JdbcUtils.getConnection}} method.
> We realize all those vulnerabilities are not applicable to H2 in Apache
> Ignite. However, our security policies are very formal and require somehow
> addressing the security vulnerabilities anyway.
> We believe there are lots of other enterprises having the same issue. For
> example, there is another issue IGNITE-14381 referencing the same problem.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
