[CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

[Юрий <ju...@gmail.com>]

Hi All,

Apache Ignite 2.8.1 has been released. The release contain fix of critical
vulnerability

CVE-2020-1963: Apache Ignite access to file system through predefined H2
SQL functions

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
All versions of Apache Ignite up to 2.8

Impact
An attacker can use embedded H2 SQL functions to access a filesystem for
write and read.

Description:
Apache Ignite uses H2 database to build SQL distributed execution engine.
H2 provides SQL functions which could be used by attacker to access to a
filesystem.

Mitigation:
Ignite 2.8 or earlier users should upgrade to 2.8.1
In case SQL is not used at all the issue could be mitigated by removing
ignite-indexing.jar from Ignite classpath
Risk could be partially mitigated by using non privileged user to start
Apache Ignite.

Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com

-- 
Живи с улыбкой! :D

Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

[Denis Magda <dm...@apache.org>]

This is an official update to the "Credit" section of the vulnerability
announcement.

Credit:
The vulnerability was initially discovered by Jinny Ramsmark of Defensify
and further reported to the Ignite community by Sriveena Mattaparth of
Ekaplus"

Denis Magda,
On behalf of Apache Ignite PMC

On Mon, Jun 8, 2020 at 1:30 AM Юрий <ju...@gmail.com> wrote:

> Denis,
>
> It has been done in the same day as it announced here as described at
> https://www.apache.org/security/committers.html#vulnerability-handling.
> Probably it require some time to information to be updated.
>
>
> Also I can confirm that no any plans to provide patch for any previous
> versions of Ignite.
>
>
>
> пт, 5 июн. 2020 г. в 19:20, Denis Magda <dm...@apache.org>:
>
>> Yury,
>>
>> Could you please update the CVE with the details from this announcement?
>>
>> Nick, to my knowledge, there are no any plans to propagate this fix to
>> the downstream versions such as 2.7, etc.
>>
>> -
>> Denis
>>
>>
>> On Wed, Jun 3, 2020 at 8:10 AM Nick Popov <NP...@tdecu.org> wrote:
>>
>>> Are you going to provide CVE-2020-1964 patches and patch instructions
>>> for previous Ignite versions?
>>>
>>>
>>>
>>> Regards,
>>>
>>> -Nick
>>>
>>>
>>>
>>> *From:* Sriveena Mattaparthi <Sr...@ekaplus.com>
>>> *Sent:* Wednesday, June 3, 2020 9:04 AM
>>> *To:* user@ignite.apache.org; dev <de...@ignite.apache.org>;
>>> announce@apache.org; Apache Security Team <se...@apache.org>
>>> *Subject:* COMMERCIAL:RE: [CVE-2020-1963] Apache Ignite access to file
>>> system disclosure vulnerability
>>>
>>>
>>>
>>> Thanks, Could you please confirm when the analysis will be updated here
>>> for the CVE logged.
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2020-1963
>>>
>>>
>>>
>>> Regards,
>>> Sriveena
>>>
>>>
>>>
>>> *From:* Юрий <ju...@gmail.com>
>>> *Sent:* 03 June 2020 16:02
>>> *To:* dev <de...@ignite.apache.org>; user@ignite.apache.org;
>>> announce@apache.org; Apache Security Team <se...@apache.org>;
>>> Sriveena Mattaparthi <Sr...@ekaplus.com>
>>> *Subject:* [CVE-2020-1963] Apache Ignite access to file system
>>> disclosure vulnerability
>>>
>>>
>>>
>>> Hi All,
>>>
>>> Apache Ignite 2.8.1 has been released. The release contain fix of
>>> critical vulnerability
>>>
>>> CVE-2020-1963: Apache Ignite access to file system through predefined H2
>>> SQL functions
>>>
>>> Severity: Critical
>>>
>>> Vendor:
>>> The Apache Software Foundation
>>>
>>> Versions Affected:
>>> All versions of Apache Ignite up to 2.8
>>>
>>> Impact
>>> An attacker can use embedded H2 SQL functions to access a filesystem for
>>> write and read.
>>>
>>> Description:
>>> Apache Ignite uses H2 database to build SQL distributed execution
>>> engine. H2 provides SQL functions which could be used by attacker to access
>>> to a filesystem.
>>>
>>> Mitigation:
>>> Ignite 2.8 or earlier users should upgrade to 2.8.1
>>> In case SQL is not used at all the issue could be mitigated by removing
>>> ignite-indexing.jar from Ignite classpath
>>> Risk could be partially mitigated by using non privileged user to start
>>> Apache Ignite.
>>>
>>> Credit:
>>> This issue was discovered by Sriveena Mattaparthi of ekaplus.com
>>> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0>
>>>
>>>
>>>
>>> --
>>>
>>> Живи с улыбкой! :D
>>>
>>> “Confidentiality Notice: The contents of this email message and any
>>> attachments are intended solely for the addressee(s) and may contain
>>> confidential and/or privileged information and may be legally protected
>>> from disclosure. If you are not the intended recipient of this message or
>>> their agent, or if this message has been addressed to you in error, please
>>> immediately alert the sender by reply email and then delete this message
>>> and any attachments. If you are not the intended recipient, you are hereby
>>> notified that any use, dissemination, copying, or storage of this message
>>> or its attachments is strictly prohibited.”
>>>
>>>
>>>
>>>  CAUTION EXTERNAL EMAIL - The email originated outside the organization.  Do not click on any links or open attachments unless you recognize the sender and know the content is safe.
>>>
>>>
>>>
>>>
>>>
>>>
>>> TDECU and our subsidiaries are committed to maintaining Member confidentiality. Please note this message is being sent using a secure connection to ensure all information remains private and confidential. The information contained in this message is intended only for the recipient. If the reader of this message is not the intended recipient, please delete immediately.
>>>
>>>
>>>
>>>
>
> --
> Живи с улыбкой! :D
>

Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

[Denis Magda <dm...@apache.org>]

This is an official update to the "Credit" section of the vulnerability
announcement.

Credit:
The vulnerability was initially discovered by Jinny Ramsmark of Defensify
and further reported to the Ignite community by Sriveena Mattaparth of
Ekaplus"

Denis Magda,
On behalf of Apache Ignite PMC

On Mon, Jun 8, 2020 at 1:30 AM Юрий <ju...@gmail.com> wrote:

> Denis,
>
> It has been done in the same day as it announced here as described at
> https://www.apache.org/security/committers.html#vulnerability-handling.
> Probably it require some time to information to be updated.
>
>
> Also I can confirm that no any plans to provide patch for any previous
> versions of Ignite.
>
>
>
> пт, 5 июн. 2020 г. в 19:20, Denis Magda <dm...@apache.org>:
>
>> Yury,
>>
>> Could you please update the CVE with the details from this announcement?
>>
>> Nick, to my knowledge, there are no any plans to propagate this fix to
>> the downstream versions such as 2.7, etc.
>>
>> -
>> Denis
>>
>>
>> On Wed, Jun 3, 2020 at 8:10 AM Nick Popov <NP...@tdecu.org> wrote:
>>
>>> Are you going to provide CVE-2020-1964 patches and patch instructions
>>> for previous Ignite versions?
>>>
>>>
>>>
>>> Regards,
>>>
>>> -Nick
>>>
>>>
>>>
>>> *From:* Sriveena Mattaparthi <Sr...@ekaplus.com>
>>> *Sent:* Wednesday, June 3, 2020 9:04 AM
>>> *To:* user@ignite.apache.org; dev <de...@ignite.apache.org>;
>>> announce@apache.org; Apache Security Team <se...@apache.org>
>>> *Subject:* COMMERCIAL:RE: [CVE-2020-1963] Apache Ignite access to file
>>> system disclosure vulnerability
>>>
>>>
>>>
>>> Thanks, Could you please confirm when the analysis will be updated here
>>> for the CVE logged.
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2020-1963
>>>
>>>
>>>
>>> Regards,
>>> Sriveena
>>>
>>>
>>>
>>> *From:* Юрий <ju...@gmail.com>
>>> *Sent:* 03 June 2020 16:02
>>> *To:* dev <de...@ignite.apache.org>; user@ignite.apache.org;
>>> announce@apache.org; Apache Security Team <se...@apache.org>;
>>> Sriveena Mattaparthi <Sr...@ekaplus.com>
>>> *Subject:* [CVE-2020-1963] Apache Ignite access to file system
>>> disclosure vulnerability
>>>
>>>
>>>
>>> Hi All,
>>>
>>> Apache Ignite 2.8.1 has been released. The release contain fix of
>>> critical vulnerability
>>>
>>> CVE-2020-1963: Apache Ignite access to file system through predefined H2
>>> SQL functions
>>>
>>> Severity: Critical
>>>
>>> Vendor:
>>> The Apache Software Foundation
>>>
>>> Versions Affected:
>>> All versions of Apache Ignite up to 2.8
>>>
>>> Impact
>>> An attacker can use embedded H2 SQL functions to access a filesystem for
>>> write and read.
>>>
>>> Description:
>>> Apache Ignite uses H2 database to build SQL distributed execution
>>> engine. H2 provides SQL functions which could be used by attacker to access
>>> to a filesystem.
>>>
>>> Mitigation:
>>> Ignite 2.8 or earlier users should upgrade to 2.8.1
>>> In case SQL is not used at all the issue could be mitigated by removing
>>> ignite-indexing.jar from Ignite classpath
>>> Risk could be partially mitigated by using non privileged user to start
>>> Apache Ignite.
>>>
>>> Credit:
>>> This issue was discovered by Sriveena Mattaparthi of ekaplus.com
>>> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0>
>>>
>>>
>>>
>>> --
>>>
>>> Живи с улыбкой! :D
>>>
>>> “Confidentiality Notice: The contents of this email message and any
>>> attachments are intended solely for the addressee(s) and may contain
>>> confidential and/or privileged information and may be legally protected
>>> from disclosure. If you are not the intended recipient of this message or
>>> their agent, or if this message has been addressed to you in error, please
>>> immediately alert the sender by reply email and then delete this message
>>> and any attachments. If you are not the intended recipient, you are hereby
>>> notified that any use, dissemination, copying, or storage of this message
>>> or its attachments is strictly prohibited.”
>>>
>>>
>>>
>>>  CAUTION EXTERNAL EMAIL - The email originated outside the organization.  Do not click on any links or open attachments unless you recognize the sender and know the content is safe.
>>>
>>>
>>>
>>>
>>>
>>>
>>> TDECU and our subsidiaries are committed to maintaining Member confidentiality. Please note this message is being sent using a secure connection to ensure all information remains private and confidential. The information contained in this message is intended only for the recipient. If the reader of this message is not the intended recipient, please delete immediately.
>>>
>>>
>>>
>>>
>
> --
> Живи с улыбкой! :D
>

Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

[Юрий <ju...@gmail.com>]

Denis,

It has been done in the same day as it announced here as described at
https://www.apache.org/security/committers.html#vulnerability-handling.
Probably it require some time to information to be updated.


Also I can confirm that no any plans to provide patch for any previous
versions of Ignite.



пт, 5 июн. 2020 г. в 19:20, Denis Magda <dm...@apache.org>:

> Yury,
>
> Could you please update the CVE with the details from this announcement?
>
> Nick, to my knowledge, there are no any plans to propagate this fix to the
> downstream versions such as 2.7, etc.
>
> -
> Denis
>
>
> On Wed, Jun 3, 2020 at 8:10 AM Nick Popov <NP...@tdecu.org> wrote:
>
>> Are you going to provide CVE-2020-1964 patches and patch instructions for
>> previous Ignite versions?
>>
>>
>>
>> Regards,
>>
>> -Nick
>>
>>
>>
>> *From:* Sriveena Mattaparthi <Sr...@ekaplus.com>
>> *Sent:* Wednesday, June 3, 2020 9:04 AM
>> *To:* user@ignite.apache.org; dev <de...@ignite.apache.org>;
>> announce@apache.org; Apache Security Team <se...@apache.org>
>> *Subject:* COMMERCIAL:RE: [CVE-2020-1963] Apache Ignite access to file
>> system disclosure vulnerability
>>
>>
>>
>> Thanks, Could you please confirm when the analysis will be updated here
>> for the CVE logged.
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2020-1963
>>
>>
>>
>> Regards,
>> Sriveena
>>
>>
>>
>> *From:* Юрий <ju...@gmail.com>
>> *Sent:* 03 June 2020 16:02
>> *To:* dev <de...@ignite.apache.org>; user@ignite.apache.org;
>> announce@apache.org; Apache Security Team <se...@apache.org>;
>> Sriveena Mattaparthi <Sr...@ekaplus.com>
>> *Subject:* [CVE-2020-1963] Apache Ignite access to file system
>> disclosure vulnerability
>>
>>
>>
>> Hi All,
>>
>> Apache Ignite 2.8.1 has been released. The release contain fix of
>> critical vulnerability
>>
>> CVE-2020-1963: Apache Ignite access to file system through predefined H2
>> SQL functions
>>
>> Severity: Critical
>>
>> Vendor:
>> The Apache Software Foundation
>>
>> Versions Affected:
>> All versions of Apache Ignite up to 2.8
>>
>> Impact
>> An attacker can use embedded H2 SQL functions to access a filesystem for
>> write and read.
>>
>> Description:
>> Apache Ignite uses H2 database to build SQL distributed execution engine.
>> H2 provides SQL functions which could be used by attacker to access to a
>> filesystem.
>>
>> Mitigation:
>> Ignite 2.8 or earlier users should upgrade to 2.8.1
>> In case SQL is not used at all the issue could be mitigated by removing
>> ignite-indexing.jar from Ignite classpath
>> Risk could be partially mitigated by using non privileged user to start
>> Apache Ignite.
>>
>> Credit:
>> This issue was discovered by Sriveena Mattaparthi of ekaplus.com
>> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0>
>>
>>
>>
>> --
>>
>> Живи с улыбкой! :D
>>
>> “Confidentiality Notice: The contents of this email message and any
>> attachments are intended solely for the addressee(s) and may contain
>> confidential and/or privileged information and may be legally protected
>> from disclosure. If you are not the intended recipient of this message or
>> their agent, or if this message has been addressed to you in error, please
>> immediately alert the sender by reply email and then delete this message
>> and any attachments. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, copying, or storage of this message
>> or its attachments is strictly prohibited.”
>>
>>
>>
>>  CAUTION EXTERNAL EMAIL - The email originated outside the organization.  Do not click on any links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>>
>>
>>
>>
>> TDECU and our subsidiaries are committed to maintaining Member confidentiality. Please note this message is being sent using a secure connection to ensure all information remains private and confidential. The information contained in this message is intended only for the recipient. If the reader of this message is not the intended recipient, please delete immediately.
>>
>>
>>
>>

-- 
Живи с улыбкой! :D

Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

[Denis Magda <dm...@apache.org>]

Yury,

Could you please update the CVE with the details from this announcement?

Nick, to my knowledge, there are no any plans to propagate this fix to the
downstream versions such as 2.7, etc.

-
Denis


On Wed, Jun 3, 2020 at 8:10 AM Nick Popov <NP...@tdecu.org> wrote:

> Are you going to provide CVE-2020-1964 patches and patch instructions for
> previous Ignite versions?
>
>
>
> Regards,
>
> -Nick
>
>
>
> *From:* Sriveena Mattaparthi <Sr...@ekaplus.com>
> *Sent:* Wednesday, June 3, 2020 9:04 AM
> *To:* user@ignite.apache.org; dev <de...@ignite.apache.org>;
> announce@apache.org; Apache Security Team <se...@apache.org>
> *Subject:* COMMERCIAL:RE: [CVE-2020-1963] Apache Ignite access to file
> system disclosure vulnerability
>
>
>
> Thanks, Could you please confirm when the analysis will be updated here
> for the CVE logged.
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-1963
>
>
>
> Regards,
> Sriveena
>
>
>
> *From:* Юрий <ju...@gmail.com>
> *Sent:* 03 June 2020 16:02
> *To:* dev <de...@ignite.apache.org>; user@ignite.apache.org;
> announce@apache.org; Apache Security Team <se...@apache.org>; Sriveena
> Mattaparthi <Sr...@ekaplus.com>
> *Subject:* [CVE-2020-1963] Apache Ignite access to file system disclosure
> vulnerability
>
>
>
> Hi All,
>
> Apache Ignite 2.8.1 has been released. The release contain fix of critical
> vulnerability
>
> CVE-2020-1963: Apache Ignite access to file system through predefined H2
> SQL functions
>
> Severity: Critical
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> All versions of Apache Ignite up to 2.8
>
> Impact
> An attacker can use embedded H2 SQL functions to access a filesystem for
> write and read.
>
> Description:
> Apache Ignite uses H2 database to build SQL distributed execution engine.
> H2 provides SQL functions which could be used by attacker to access to a
> filesystem.
>
> Mitigation:
> Ignite 2.8 or earlier users should upgrade to 2.8.1
> In case SQL is not used at all the issue could be mitigated by removing
> ignite-indexing.jar from Ignite classpath
> Risk could be partially mitigated by using non privileged user to start
> Apache Ignite.
>
> Credit:
> This issue was discovered by Sriveena Mattaparthi of ekaplus.com
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0>
>
>
>
> --
>
> Живи с улыбкой! :D
>
> “Confidentiality Notice: The contents of this email message and any
> attachments are intended solely for the addressee(s) and may contain
> confidential and/or privileged information and may be legally protected
> from disclosure. If you are not the intended recipient of this message or
> their agent, or if this message has been addressed to you in error, please
> immediately alert the sender by reply email and then delete this message
> and any attachments. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, copying, or storage of this message
> or its attachments is strictly prohibited.”
>
>
>
>  CAUTION EXTERNAL EMAIL - The email originated outside the organization.  Do not click on any links or open attachments unless you recognize the sender and know the content is safe.
>
>
>
>
>
>
> TDECU and our subsidiaries are committed to maintaining Member confidentiality. Please note this message is being sent using a secure connection to ensure all information remains private and confidential. The information contained in this message is intended only for the recipient. If the reader of this message is not the intended recipient, please delete immediately.
>
>
>
>

RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

[Nick Popov <NP...@tdecu.org>]

Are you going to provide CVE-2020-1964 patches and patch instructions for previous Ignite versions?

Regards,
-Nick

From: Sriveena Mattaparthi <Sr...@ekaplus.com>
Sent: Wednesday, June 3, 2020 9:04 AM
To: user@ignite.apache.org; dev <de...@ignite.apache.org>; announce@apache.org; Apache Security Team <se...@apache.org>
Subject: COMMERCIAL:RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

Thanks, Could you please confirm when the analysis will be updated here for the CVE logged.
https://nvd.nist.gov/vuln/detail/CVE-2020-1963

Regards,
Sriveena

From: Юрий <ju...@gmail.com>>
Sent: 03 June 2020 16:02
To: dev <de...@ignite.apache.org>>; user@ignite.apache.org<ma...@ignite.apache.org>; announce@apache.org<ma...@apache.org>; Apache Security Team <se...@apache.org>>; Sriveena Mattaparthi <Sr...@ekaplus.com>>
Subject: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

Hi All,

Apache Ignite 2.8.1 has been released. The release contain fix of critical vulnerability

CVE-2020-1963: Apache Ignite access to file system through predefined H2 SQL functions

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
All versions of Apache Ignite up to 2.8

Impact
An attacker can use embedded H2 SQL functions to access a filesystem for write and read.

Description:
Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

Mitigation:
Ignite 2.8 or earlier users should upgrade to 2.8.1
In case SQL is not used at all the issue could be mitigated by removing ignite-indexing.jar from Ignite classpath
Risk could be partially mitigated by using non privileged user to start Apache Ignite.

Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0>

--
Живи с улыбкой! :D
“Confidentiality Notice: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.”





CAUTION EXTERNAL EMAIL - The email originated outside the organization.  Do not click on any links or open attachments unless you recognize the sender and know the content is safe.



TDECU and our subsidiaries are committed to maintaining Member confidentiality. Please note this message is being sent using a secure connection to ensure all information remains private and confidential. The information contained in this message is intended only for the recipient. If the reader of this message is not the intended recipient, please delete immediately.

RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

[Nick Popov <NP...@tdecu.org>]

Are you going to provide CVE-2020-1964 patches and patch instructions for previous Ignite versions?

Regards,
-Nick

From: Sriveena Mattaparthi <Sr...@ekaplus.com>
Sent: Wednesday, June 3, 2020 9:04 AM
To: user@ignite.apache.org; dev <de...@ignite.apache.org>; announce@apache.org; Apache Security Team <se...@apache.org>
Subject: COMMERCIAL:RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

Thanks, Could you please confirm when the analysis will be updated here for the CVE logged.
https://nvd.nist.gov/vuln/detail/CVE-2020-1963

Regards,
Sriveena

From: Юрий <ju...@gmail.com>>
Sent: 03 June 2020 16:02
To: dev <de...@ignite.apache.org>>; user@ignite.apache.org<ma...@ignite.apache.org>; announce@apache.org<ma...@apache.org>; Apache Security Team <se...@apache.org>>; Sriveena Mattaparthi <Sr...@ekaplus.com>>
Subject: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

Hi All,

Apache Ignite 2.8.1 has been released. The release contain fix of critical vulnerability

CVE-2020-1963: Apache Ignite access to file system through predefined H2 SQL functions

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
All versions of Apache Ignite up to 2.8

Impact
An attacker can use embedded H2 SQL functions to access a filesystem for write and read.

Description:
Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

Mitigation:
Ignite 2.8 or earlier users should upgrade to 2.8.1
In case SQL is not used at all the issue could be mitigated by removing ignite-indexing.jar from Ignite classpath
Risk could be partially mitigated by using non privileged user to start Apache Ignite.

Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0>

--
Живи с улыбкой! :D
“Confidentiality Notice: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.”





CAUTION EXTERNAL EMAIL - The email originated outside the organization.  Do not click on any links or open attachments unless you recognize the sender and know the content is safe.



TDECU and our subsidiaries are committed to maintaining Member confidentiality. Please note this message is being sent using a secure connection to ensure all information remains private and confidential. The information contained in this message is intended only for the recipient. If the reader of this message is not the intended recipient, please delete immediately.

RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

[Sriveena Mattaparthi <Sr...@ekaplus.com>]

Thanks, Could you please confirm when the analysis will be updated here for the CVE logged.
https://nvd.nist.gov/vuln/detail/CVE-2020-1963

Regards,
Sriveena

From: Юрий <ju...@gmail.com>
Sent: 03 June 2020 16:02
To: dev <de...@ignite.apache.org>; user@ignite.apache.org; announce@apache.org; Apache Security Team <se...@apache.org>; Sriveena Mattaparthi <Sr...@ekaplus.com>
Subject: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

Hi All,

Apache Ignite 2.8.1 has been released. The release contain fix of critical vulnerability

CVE-2020-1963: Apache Ignite access to file system through predefined H2 SQL functions

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
All versions of Apache Ignite up to 2.8

Impact
An attacker can use embedded H2 SQL functions to access a filesystem for write and read.

Description:
Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

Mitigation:
Ignite 2.8 or earlier users should upgrade to 2.8.1
In case SQL is not used at all the issue could be mitigated by removing ignite-indexing.jar from Ignite classpath
Risk could be partially mitigated by using non privileged user to start Apache Ignite.

Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0>

--
Живи с улыбкой! :D
“Confidentiality Notice: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.”

RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

[Sriveena Mattaparthi <Sr...@ekaplus.com>]

Thanks, Could you please confirm when the analysis will be updated here for the CVE logged.
https://nvd.nist.gov/vuln/detail/CVE-2020-1963

Regards,
Sriveena

From: Юрий <ju...@gmail.com>
Sent: 03 June 2020 16:02
To: dev <de...@ignite.apache.org>; user@ignite.apache.org; announce@apache.org; Apache Security Team <se...@apache.org>; Sriveena Mattaparthi <Sr...@ekaplus.com>
Subject: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

Hi All,

Apache Ignite 2.8.1 has been released. The release contain fix of critical vulnerability

CVE-2020-1963: Apache Ignite access to file system through predefined H2 SQL functions

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
All versions of Apache Ignite up to 2.8

Impact
An attacker can use embedded H2 SQL functions to access a filesystem for write and read.

Description:
Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

Mitigation:
Ignite 2.8 or earlier users should upgrade to 2.8.1
In case SQL is not used at all the issue could be mitigated by removing ignite-indexing.jar from Ignite classpath
Risk could be partially mitigated by using non privileged user to start Apache Ignite.

Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0>

--
Живи с улыбкой! :D
“Confidentiality Notice: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.”