[ https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606829#comment-17606829 ]
Jinchen Zhu commented on IGNITE-15241: -------------------------------------- Hi [~kukushal], we tried the options 2 & 3 you provided, but seems it still can't remove the dependency of H2 for #2, ignite-index module has deep dependency on H2, even if we rename the H2 module, how to modify the reference in ignite-index? for #3, again ignite-index, in 2.13, we can switch the sql engine to Calcite, but seems ignite-index still have to load H2 Appreciate your reply as we really don't have any solutions. > Ignite H2 Security Vulnerabilities > ---------------------------------- > > Key: IGNITE-15241 > URL: https://issues.apache.org/jira/browse/IGNITE-15241 > Project: Ignite > Issue Type: Bug > Components: sql > Affects Versions: 2.13 > Reporter: Alexey Kukushkin > Assignee: Alexey Kukushkin > Priority: Major > Labels: cggg > Attachments: Ignite-H2-Vulnerabilities.png > > Original Estimate: 80h > Remaining Estimate: 80h > > Upgrade H2 dependency of the ignite-indexing module to the latest version > 1.4.200. > Apache Ignite SQL (module {{{}ignite-indexing{}}}) depends on H2 database > version 1.4.197. Black Duck SCA detects these [security > vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893] > in H2: > !Ignite-H2-Vulnerabilities.png! > We did preliminary real impact analysis considering how Ignite uses H2: > * [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/] > This vulnerability is not applicable to H2 in Ignite since Ignite does not > store data in H2 and thus there can be no H2 backups in Ignite. > * [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/] > This vulnerability is not applicable to H2 in Ignite since Ignite does not > support the {{CREATE ALIAS}} statement > * [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/] > This vulnerability is not applicable to H2 in Ignite since Ignite uses H2 > version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and > up to 2.0.202. > * [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/] > This vulnerability is not applicable to H2 in Ignite since Ignite runs H2 in > embedded mode. H2 cannot be externally exposed in embedded mode. The > vulnerability could be exploited on the local machine where Ignite is > running. However, this limits the severity a lot. > * [CVE-2021-42392|https://www.cvedetails.com/cve/CVE-2021-42392/] > This vulnerability is not applicable to H2 in Ignite since Ignite does not > use and does not expose the {{org.h2.util.JdbcUtils.getConnection}} method. > We realize all those vulnerabilities are not applicable to H2 in Apache > Ignite. However, our security policies are very formal and require somehow > addressing the security vulnerabilities anyway. > We believe there are lots of other enterprises having the same issue. For > example, there is another issue IGNITE-14381 referencing the same problem. -- This message was sent by Atlassian Jira (v8.20.10#820010)