You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Alexey Goncharuk <ag...@apache.org> on 2020/06/03 10:40:29 UTC

[CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

Hello all,

Apache Ignite 2.8.1 has been released. The release contain fix of critical
vulnerability

CVE-2020-1963: Apache Ignite access to file system through predefined H2
SQL functions

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
All versions of Apache Ignite up to 2.8

Impact
An attacker can use embedded H2 SQL functions to access a filesystem for
write and read.

Description:
Apache Ignite uses H2 database to build SQL distributed execution engine.
H2 provides SQL functions which could be used by attacker to access to a
filesystem.

Mitigation:
Ignite 2.8 or earlier users should upgrade to 2.8.1
In case SQL is not used at all the issue could be mitigated by removing
ignite-indexing.jar from Ignite classpath
Risk could be partially mitigated by using non privileged user to start
Apache Ignite.

Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com

--
Alexey Goncharuk
On Behalf Of Apache Ignite Community