You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ignite.apache.org by "Alexey Kukushkin (Jira)" <ji...@apache.org> on 2021/08/03 21:13:00 UTC
[jira] [Updated] (IGNITE-15241) Ignite H2 Security Vulnerabilities
[ https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Kukushkin updated IGNITE-15241:
--------------------------------------
Issue Type: Bug (was: Improvement)
Summary: Ignite H2 Security Vulnerabilities (was: Upgrade H2 dependency)
> Ignite H2 Security Vulnerabilities
> ----------------------------------
>
> Key: IGNITE-15241
> URL: https://issues.apache.org/jira/browse/IGNITE-15241
> Project: Ignite
> Issue Type: Bug
> Components: sql
> Affects Versions: 2.10
> Reporter: Alexey Kukushkin
> Assignee: Alexey Kukushkin
> Priority: Major
>
> Upgrade H2 dependency of the ignite-indexing module to the latest version 1.4.200.
> Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version 1.4.197, which has these two [security vulnerabilities|https://www.cvedetails.com/vulnerability-list/vendor_id-17893/product_id-45580/year-2018/H2database-H2.html]
> [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/] is regarded as a critical vulnerability by our analyzer (Black Duck SCA) and makes it impossible to use Ignite SQL due to security policies. We realize this vulnerability is probably not even applicable to the H2 in Ignite since there is no H2 database or H2 backups in Ignite. Still the security policies are very formal and do not allow that anyway.
> We believe there are lots of other enterprises having the same issue. For example, there is another issue IGNITE-14381 referencing the same problem.
> The latest H2 1.4.200 has no vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)