You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Alexey Goncharuk <ag...@apache.org> on 2020/06/03 10:40:29 UTC
[CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability
Hello all,
Apache Ignite 2.8.1 has been released. The release contain fix of critical
vulnerability
CVE-2020-1963: Apache Ignite access to file system through predefined H2
SQL functions
Severity: Critical
Vendor:
The Apache Software Foundation
Versions Affected:
All versions of Apache Ignite up to 2.8
Impact
An attacker can use embedded H2 SQL functions to access a filesystem for
write and read.
Description:
Apache Ignite uses H2 database to build SQL distributed execution engine.
H2 provides SQL functions which could be used by attacker to access to a
filesystem.
Mitigation:
Ignite 2.8 or earlier users should upgrade to 2.8.1
In case SQL is not used at all the issue could be mitigated by removing
ignite-indexing.jar from Ignite classpath
Risk could be partially mitigated by using non privileged user to start
Apache Ignite.
Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com
--
Alexey Goncharuk
On Behalf Of Apache Ignite Community