You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ignite.apache.org by "YuJue Li (Jira)" <ji...@apache.org> on 2022/05/18 10:41:00 UTC
[jira] [Commented] (IGNITE-15241) Ignite H2 Security Vulnerabilities
[ https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17538725#comment-17538725 ]
YuJue Li commented on IGNITE-15241:
-----------------------------------
[https://github.com/h2database/h2database/pull/2227]
> Ignite H2 Security Vulnerabilities
> ----------------------------------
>
> Key: IGNITE-15241
> URL: https://issues.apache.org/jira/browse/IGNITE-15241
> Project: Ignite
> Issue Type: Bug
> Components: sql
> Affects Versions: 2.10
> Reporter: Alexey Kukushkin
> Assignee: Alexey Kukushkin
> Priority: Major
> Labels: cggg
> Original Estimate: 80h
> Remaining Estimate: 80h
>
> Upgrade H2 dependency of the ignite-indexing module to the latest version 1.4.200.
> Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version 1.4.197, which has these two [security vulnerabilities|https://www.cvedetails.com/vulnerability-list/vendor_id-17893/product_id-45580/year-2018/H2database-H2.html]
> [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/] is regarded as a critical vulnerability by our analyzer (Black Duck SCA) and makes it impossible to use Ignite SQL due to security policies. We realize this vulnerability is probably not even applicable to the H2 in Ignite since there is no H2 database or H2 backups in Ignite. Still the security policies are very formal and do not allow that anyway.
> We believe there are lots of other enterprises having the same issue. For example, there is another issue IGNITE-14381 referencing the same problem.
> The latest H2 1.4.200 has no vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)