[#IGNITE-15241] Ignite H2 Security Vulnerabilities - ASF JIRA

Trang chủ » H2 1.4.200 Cve » [#IGNITE-15241] Ignite H2 Security Vulnerabilities - ASF JIRA

Có thể bạn quan tâm

Public signup for this instance is disabled. Go to our Self serve sign up page to request an account. Report potential security issues privately

Details

  • Type: Bug
  • Status: Closed
  • Priority: Major
  • Resolution: Won't Fix
  • Affects Version/s: 2.13
  • Fix Version/s: None
  • Component/s: sql
  • Labels:
    • cggg

Description

Upgrade H2 dependency of the ignite-indexing module to the latest version 1.4.200.

Apache Ignite SQL (module ignite-indexing) depends on H2 database version 1.4.197. Black Duck SCA detects these security vulnerabilities in H2:

We did preliminary real impact analysis considering how Ignite uses H2:

  • CVE-2018-14335 This vulnerability is not applicable to H2 in Ignite since Ignite does not store data in H2 and thus there can be no H2 backups in Ignite.
  • CVE-2018-10054 This vulnerability is not applicable to H2 in Ignite since Ignite does not support the CREATE ALIAS statement
  • CVE-2021-23463 This vulnerability is not applicable to H2 in Ignite since Ignite uses H2 version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and up to 2.0.202.
  • CVE-2022-23221 This vulnerability is not applicable to H2 in Ignite since Ignite runs H2 in embedded mode. H2 cannot be externally exposed in embedded mode. The vulnerability could be exploited on the local machine where Ignite is running. However, this limits the severity a lot.
  • CVE-2021-42392 This vulnerability is not applicable to H2 in Ignite since Ignite does not use and does not expose the org.h2.util.JdbcUtils.getConnection method.

We realize all those vulnerabilities are not applicable to H2 in Apache Ignite. However, our security policies are very formal and require somehow addressing the security vulnerabilities anyway.

We believe there are lots of other enterprises having the same issue. For example, there is another issue IGNITE-14381 referencing the same problem.

Attachments

Attachments

  • Options
    • Sort By Name
    • Sort By Date
    • Ascending
    • Descending
  1. Ignite-H2-Vulnerabilities.png27/May/22 08:4433 kBAlexey Kukushkin

Issue Links

fixes

Bug - A problem which impairs or prevents the functions of the product. IGNITE-14381 Failed to initialize DB connection- Unsupported connection setting "MULTI_THREADED"

  • Major - Major loss of function.
  • Open
is duplicated by

Bug - A problem which impairs or prevents the functions of the product. IGNITE-16384 H2 database used in Ignite has high security vulnerabilities

  • Critical - Crashes, loss of data, severe memory leak.
  • Resolved

Activity

People

Assignee: kukushal Alexey Kukushkin Reporter: kukushal Alexey Kukushkin Votes: 1 Vote for this issue Watchers: 6 Start watching this issue

Dates

Created: 03/Aug/21 19:12 Updated: 25/Sep/22 14:48 Resolved: 27/May/22 16:08

Time Tracking

Estimated:
Original Estimate - 80h
80h Remaining:
Remaining Estimate - 80h
80h Logged:
Time Spent - Not Specified
Not Specified

Từ khóa » H2 1.4.200 Cve