Thank You for pointing that out. I do understand that not everything applies to Ignite but unfortunately some of us need to adhere to blank security policies that doesn’t take the impact analysis into considerations.
Thank You for clarification. Vladik From: Andrey Mashenkov <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, December 11, 2019 at 04:40 To: "[email protected]" <[email protected]>, "Sobolevsky, Vladik" <[email protected]> Subject: Re: H2 version security concern Hi, Mentioned CVE has no affect Ignite. Please, see discussion on dev-list. http://apache-ignite-developers.2346864.n4.nabble.com/H2-license-and-vulnerabilities-td40417.html#a40418<https://urldefense.proofpoint.com/v2/url?u=http-3A__apache-2Dignite-2Ddevelopers.2346864.n4.nabble.com_H2-2Dlicense-2Dand-2Dvulnerabilities-2Dtd40417.html-23a40418&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=I3x0jHBBnHyIz6zqxXdd9sW5NQuih_-P1poyroMawMg&m=FXxfCn5VCt2qfj0I3ugVIdMSWWcUWsmESpjGhbW4sV8&s=gkxh9dN_sYPscOySUA2QAfpbU_5YtJBcaQ2TZugRqvQ&e=> On Wed, Dec 11, 2019 at 2:22 AM Evgenii Zhuravlev <[email protected]<mailto:[email protected]>> wrote: Hi, There are plans to replace H2 with Calcite. You can read more about it on dev list, I've seen several threads regarding this topic there. Evgenii вт, 10 дек. 2019 г. в 13:29, Sobolevsky, Vladik <[email protected]<mailto:[email protected]>>: Hi, It looks like all the recent versions of Apache Ignite ( apache ignite indexing) depends on H2 version 1.4.197. This version has at least 2 CVE’s : https://nvd.nist.gov/vuln/detail/CVE-2018-10054<https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2018-2D10054&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=I3x0jHBBnHyIz6zqxXdd9sW5NQuih_-P1poyroMawMg&m=FXxfCn5VCt2qfj0I3ugVIdMSWWcUWsmESpjGhbW4sV8&s=ySiQ9x3_YddG4PjlsZQrAEuxSgUI2hBNs0Plzr9xgXM&e=> https://nvd.nist.gov/vuln/detail/CVE-2018-14335<https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2018-2D14335&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=I3x0jHBBnHyIz6zqxXdd9sW5NQuih_-P1poyroMawMg&m=FXxfCn5VCt2qfj0I3ugVIdMSWWcUWsmESpjGhbW4sV8&s=4evD0kivCE8AKRdEQCQdYIFWUuEK05a0fIqdbneci4k&e=> I do understand that not all above CVE’s can be exploited due to a way Ignite uses H2 but still : Is there any plans to upgrade to version that doesn’t has those ? Thank You, Vladik -- Best regards, Andrey V. Mashenkov
