You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by "Lo, Marcus " <ma...@citi.com> on 2022/01/14 09:22:06 UTC
h2 vulnerabilities
Hi,
The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject to the following vulnerabilities. Is there any plan to update to a newer version? Given the currently heightened security awareness, it would be very difficult to make the case to use the current version of Ignite due to corporate security policy. Thanks.
CVE-2021-23463 (BDSA-2021-3744)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463
CVE-2018-10054 (BDSA-2018-1048)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054
BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via Unsafe JNDI Class Loading Functionality)
https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
CVE-2018-14335 (BDSA-2018-2507)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335
Regards,
Marcus
Re: h2 vulnerabilities
Posted by Stephen Darlington <st...@gridgain.com>.
2.12 just came out, so the earliest would be 2.13. I’m sure a pull request would be welcomed if you want to take a look yourself.
> On 17 Jan 2022, at 01:29, Lo, Marcus <ma...@citi.com> wrote:
>
> Thanks. Is there any timeline when this ticket would be picked up and fixed? Thanks.
>
> Regards,
> Marcus
>
> From: [gridgain.com <http://gridgain.com/>] Stephen Darlington <stephen.darlington@gridgain.com <ma...@gridgain.com>>
> Sent: Friday, January 14, 2022 5:41 PM
> To: user
> Subject: Re: h2 vulnerabilities
>
> This Message is From an External Sender
> This message came from outside of your organization.
>
>
> There are already tickets about this, IGNITE-14845 <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-14845__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGDoFOdHw$> for example. Note that at least two of the CVEs you list are not exposed in Ignite (IGNITE-10801 <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-10801__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwHIM9Q65g$>).
>
>
> On 14 Jan 2022, at 09:22, Lo, Marcus <marcus.lo@citi.com <ma...@citi.com>> wrote:
>
> Hi,
>
> The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject to the following vulnerabilities. Is there any plan to update to a newer version? Given the currently heightened security awareness, it would be very difficult to make the case to use the current version of Ignite due to corporate security policy. Thanks.
>
> CVE-2021-23463 (BDSA-2021-3744)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463 <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGjAwibOw$>
>
> CVE-2018-10054 (BDSA-2018-1048)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054 <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFWll5Yeg$>
>
> BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via Unsafe JNDI Class Loading Functionality)
> https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 <https://urldefense.com/v3/__https:/github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwG-zOS-nQ$>
> https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ <https://urldefense.com/v3/__https:/jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwEF2nROZw$>
>
> CVE-2018-14335 (BDSA-2018-2507)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335 <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFrrDF2-A$>
>
> Regards,
> Marcus
RE: h2 vulnerabilities
Posted by "Lo, Marcus " <ma...@citi.com>.
Thanks. Is there any timeline when this ticket would be picked up and fixed? Thanks.
Regards,
Marcus
From: [gridgain.com] Stephen Darlington <st...@gridgain.com>
Sent: Friday, January 14, 2022 5:41 PM
To: user
Subject: Re: h2 vulnerabilities
This Message is From an External Sender
This message came from outside of your organization.
There are already tickets about this, IGNITE-14845<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-14845__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGDoFOdHw$> for example. Note that at least two of the CVEs you list are not exposed in Ignite (IGNITE-10801<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-10801__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwHIM9Q65g$>).
On 14 Jan 2022, at 09:22, Lo, Marcus <ma...@citi.com>> wrote:
Hi,
The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject to the following vulnerabilities. Is there any plan to update to a newer version? Given the currently heightened security awareness, it would be very difficult to make the case to use the current version of Ignite due to corporate security policy. Thanks.
CVE-2021-23463 (BDSA-2021-3744)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGjAwibOw$>
CVE-2018-10054 (BDSA-2018-1048)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFWll5Yeg$>
BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via Unsafe JNDI Class Loading Functionality)
https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6<https://urldefense.com/v3/__https:/github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwG-zOS-nQ$>
https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/<https://urldefense.com/v3/__https:/jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwEF2nROZw$>
CVE-2018-14335 (BDSA-2018-2507)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFrrDF2-A$>
Regards,
Marcus
Re: h2 vulnerabilities
Posted by Stephen Darlington <st...@gridgain.com>.
There are already tickets about this, IGNITE-14845 <https://issues.apache.org/jira/browse/IGNITE-14845> for example. Note that at least two of the CVEs you list are not exposed in Ignite (IGNITE-10801 <https://issues.apache.org/jira/browse/IGNITE-10801>).
> On 14 Jan 2022, at 09:22, Lo, Marcus <ma...@citi.com> wrote:
>
> Hi,
>
> The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject to the following vulnerabilities. Is there any plan to update to a newer version? Given the currently heightened security awareness, it would be very difficult to make the case to use the current version of Ignite due to corporate security policy. Thanks.
>
> CVE-2021-23463 (BDSA-2021-3744)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463>
>
> CVE-2018-10054 (BDSA-2018-1048)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054>
>
> BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via Unsafe JNDI Class Loading Functionality)
> https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 <https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6>
> https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ <https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/>
>
> CVE-2018-14335 (BDSA-2018-2507)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335>
>
> Regards,
> Marcus