You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ignite.apache.org by "Lo, Marcus " <ma...@citi.com> on 2022/01/14 09:22:06 UTC

h2 vulnerabilities

Hi,

The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject to the following vulnerabilities. Is there any plan to update to a newer version? Given the currently heightened security awareness, it would be very difficult to make the case to use the current version of Ignite due to corporate security policy. Thanks.

CVE-2021-23463 (BDSA-2021-3744)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463

CVE-2018-10054 (BDSA-2018-1048)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054

BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via Unsafe JNDI Class Loading Functionality)
https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/

CVE-2018-14335 (BDSA-2018-2507)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335

Regards,
Marcus

Re: h2 vulnerabilities

Posted by Stephen Darlington <st...@gridgain.com>.

2.12 just came out, so the earliest would be 2.13. I’m sure a pull request would be welcomed if you want to take a look yourself.

> On 17 Jan 2022, at 01:29, Lo, Marcus <ma...@citi.com> wrote:
> 
> Thanks. Is there any timeline when this ticket would be picked up and fixed? Thanks.
>  
> Regards,
> Marcus
>  
> From: [gridgain.com <http://gridgain.com/>] Stephen Darlington <stephen.darlington@gridgain.com <ma...@gridgain.com>> 
> Sent: Friday, January 14, 2022 5:41 PM
> To: user
> Subject: Re: h2 vulnerabilities
>  
> This Message is From an External Sender 
> This message came from outside of your organization.
>  
> 
> There are already tickets about this, IGNITE-14845 <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-14845__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGDoFOdHw$> for example. Note that at least two of the CVEs you list are not exposed in Ignite (IGNITE-10801 <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-10801__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwHIM9Q65g$>).
> 
> 
> On 14 Jan 2022, at 09:22, Lo, Marcus <marcus.lo@citi.com <ma...@citi.com>> wrote:
>  
> Hi,
>  
> The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject to the following vulnerabilities. Is there any plan to update to a newer version? Given the currently heightened security awareness, it would be very difficult to make the case to use the current version of Ignite due to corporate security policy. Thanks.
>  
> CVE-2021-23463 (BDSA-2021-3744)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463 <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGjAwibOw$>
>  
> CVE-2018-10054 (BDSA-2018-1048)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054 <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFWll5Yeg$>
>  
> BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via Unsafe JNDI Class Loading Functionality)
> https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 <https://urldefense.com/v3/__https:/github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwG-zOS-nQ$>
> https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ <https://urldefense.com/v3/__https:/jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwEF2nROZw$>
>  
> CVE-2018-14335 (BDSA-2018-2507)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335 <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFrrDF2-A$>
>  
> Regards,
> Marcus

RE: h2 vulnerabilities

Posted by "Lo, Marcus " <ma...@citi.com>.

Thanks. Is there any timeline when this ticket would be picked up and fixed? Thanks.

Regards,
Marcus

From: [gridgain.com] Stephen Darlington <st...@gridgain.com>
Sent: Friday, January 14, 2022 5:41 PM
To: user
Subject: Re: h2 vulnerabilities

This Message is From an External Sender

This message came from outside of your organization.

There are already tickets about this, IGNITE-14845<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-14845__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGDoFOdHw$> for example. Note that at least two of the CVEs you list are not exposed in Ignite (IGNITE-10801<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-10801__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwHIM9Q65g$>).

On 14 Jan 2022, at 09:22, Lo, Marcus <ma...@citi.com>> wrote:

Hi,

The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject to the following vulnerabilities. Is there any plan to update to a newer version? Given the currently heightened security awareness, it would be very difficult to make the case to use the current version of Ignite due to corporate security policy. Thanks.

CVE-2021-23463 (BDSA-2021-3744)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGjAwibOw$>

CVE-2018-10054 (BDSA-2018-1048)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFWll5Yeg$>

BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via Unsafe JNDI Class Loading Functionality)
https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6<https://urldefense.com/v3/__https:/github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwG-zOS-nQ$>
https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/<https://urldefense.com/v3/__https:/jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwEF2nROZw$>

CVE-2018-14335 (BDSA-2018-2507)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFrrDF2-A$>

Regards,
Marcus

Re: h2 vulnerabilities

Posted by Stephen Darlington <st...@gridgain.com>.

There are already tickets about this, IGNITE-14845 <https://issues.apache.org/jira/browse/IGNITE-14845> for example. Note that at least two of the CVEs you list are not exposed in Ignite (IGNITE-10801 <https://issues.apache.org/jira/browse/IGNITE-10801>).

> On 14 Jan 2022, at 09:22, Lo, Marcus <ma...@citi.com> wrote:
> 
> Hi,
>  
> The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject to the following vulnerabilities. Is there any plan to update to a newer version? Given the currently heightened security awareness, it would be very difficult to make the case to use the current version of Ignite due to corporate security policy. Thanks.
>  
> CVE-2021-23463 (BDSA-2021-3744)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463>
>  
> CVE-2018-10054 (BDSA-2018-1048)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054>
>  
> BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via Unsafe JNDI Class Loading Functionality)
> https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 <https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6>
> https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ <https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/>
>  
> CVE-2018-14335 (BDSA-2018-2507)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335>
>  
> Regards,
> Marcus