You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ignite.apache.org by "Jinchen Zhu (Jira)" <ji...@apache.org> on 2022/09/20 02:31:00 UTC

[jira] [Commented] (IGNITE-15241) Ignite H2 Security Vulnerabilities

    [ https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606829#comment-17606829 ] 

Jinchen Zhu commented on IGNITE-15241:
--------------------------------------

Hi [~kukushal],

we tried the options 2 & 3 you provided, but seems it still can't remove the dependency of H2

for #2, ignite-index module has deep dependency on H2, even if we rename the H2 module, how to modify the reference in ignite-index?

for #3, again ignite-index, in 2.13, we can switch the sql engine to Calcite, but seems ignite-index still have to load H2

Appreciate your reply as we really don't have any solutions.

> Ignite H2 Security Vulnerabilities
> ----------------------------------
>
>                 Key: IGNITE-15241
>                 URL: https://issues.apache.org/jira/browse/IGNITE-15241
>             Project: Ignite
>          Issue Type: Bug
>          Components: sql
>    Affects Versions: 2.13
>            Reporter: Alexey Kukushkin
>            Assignee: Alexey Kukushkin
>            Priority: Major
>              Labels: cggg
>         Attachments: Ignite-H2-Vulnerabilities.png
>
>   Original Estimate: 80h
>  Remaining Estimate: 80h
>
> Upgrade H2 dependency of the ignite-indexing module to the latest version 1.4.200.
> Apache Ignite SQL (module {{{}ignite-indexing{}}}) depends on H2 database version 1.4.197. Black Duck SCA detects these [security vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893] in H2: 
> !Ignite-H2-Vulnerabilities.png!
> We did preliminary real impact analysis considering how Ignite uses H2:
>  * [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not store data in H2 and thus there can be no H2 backups in Ignite.
>  * [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not support the {{CREATE ALIAS}} statement
>  * [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
> This vulnerability is not applicable to H2 in Ignite since Ignite uses H2 version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and up to 2.0.202.
>  * [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/]
> This vulnerability is not applicable to H2 in Ignite since Ignite runs H2 in embedded mode. H2 cannot be externally exposed in embedded mode. The vulnerability could be exploited on the local machine where Ignite is running. However, this limits the severity a lot.
>  * [CVE-2021-42392|https://www.cvedetails.com/cve/CVE-2021-42392/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not use and does not expose the {{org.h2.util.JdbcUtils.getConnection}} method.
> We realize all those vulnerabilities are not applicable to H2 in Apache Ignite. However, our security policies are very formal and require somehow addressing the security vulnerabilities anyway.
> We believe there are lots of other enterprises having the same issue. For example, there is another issue IGNITE-14381 referencing the same problem.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)