Raman N created NIFI-9675:
-----------------------------
Summary: Upgrade H2 to 2.1.210 to mitigate Critical CVEs
Key: NIFI-9675
URL: https://issues.apache.org/jira/browse/NIFI-9675
Project: Apache NiFi
Issue Type: Improvement
Reporter: Raman N
In H2 versions used in Apache NiFi; following vulnerabilities are detected by
Trivy:
[https://nvd.nist.gov/vuln/detail/CVE-2021-42392]
[https://nvd.nist.gov/vuln/detail/CVE-2022-23221]
These CVEs can be fixed by upgrading *h2* version to 2.1.210
*CVE-2021-42392:*
{code:java}
{
"VulnerabilityID": "CVE-2021-42392",
"PkgName": "com.h2database:h2",
"PkgPath": "opt/nifi/nifi-toolkit-current/lib/h2-1.4.199.jar",
"InstalledVersion": "1.4.199",
"FixedVersion": "2.0.206",
"Layer": {
"Digest":
"sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3",
"DiffID":
"sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2"
},
"SeveritySource": "ghsa-maven",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42392";,
"Title": "h2: Remote Code Execution in Console",
"Description": "The org.h2.util.JdbcUtils.getConnection method of the
H2 database takes as parameters the class name of the driver and URL of the
database. An attacker may pass a JNDI driver name and a URL leading to a LDAP
or RMI servers, causing remote code execution. This can be exploited through
various attack vectors, most notably through the H2 Console which leads to
unauthenticated remote code execution.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-502"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 10,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"V3Score": 7.1
}
} ...
{code}
*CVE-2022-23221:*
{code:java}
{
"VulnerabilityID": "CVE-2022-23221",
"PkgName": "com.h2database:h2",
"PkgPath": "opt/nifi/nifi-toolkit-current/lib/h2-1.4.199.jar",
"InstalledVersion": "1.4.199",
"FixedVersion": "2.1.210",
"Layer": {
"Digest":
"sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3",
"DiffID":
"sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2"
},
"SeveritySource": "ghsa-maven",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23221";,
"Title": "h2: Loading of custom classes from remote servers through
JNDI",
"Description": "H2 Console before 2.1.210 allows remote attackers to
execute arbitrary code via a jdbc:h2:mem JDBC URL containing the
IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a
different vulnerability than CVE-2021-42392.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-94"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 10,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},..
{code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
