[
https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606829#comment-17606829
]
Jinchen Zhu commented on IGNITE-15241:
--------------------------------------
Hi [~kukushal],
we tried the options 2 & 3 you provided, but seems it still can't remove the
dependency of H2
for #2, ignite-index module has deep dependency on H2, even if we rename the H2
module, how to modify the reference in ignite-index?
for #3, again ignite-index, in 2.13, we can switch the sql engine to Calcite,
but seems ignite-index still have to load H2
Appreciate your reply as we really don't have any solutions.
> Ignite H2 Security Vulnerabilities
> ----------------------------------
>
> Key: IGNITE-15241
> URL: https://issues.apache.org/jira/browse/IGNITE-15241
> Project: Ignite
> Issue Type: Bug
> Components: sql
> Affects Versions: 2.13
> Reporter: Alexey Kukushkin
> Assignee: Alexey Kukushkin
> Priority: Major
> Labels: cggg
> Attachments: Ignite-H2-Vulnerabilities.png
>
> Original Estimate: 80h
> Remaining Estimate: 80h
>
> Upgrade H2 dependency of the ignite-indexing module to the latest version
> 1.4.200.
> Apache Ignite SQL (module {{{}ignite-indexing{}}}) depends on H2 database
> version 1.4.197. Black Duck SCA detects these [security
> vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893]
> in H2:
> !Ignite-H2-Vulnerabilities.png!
> We did preliminary real impact analysis considering how Ignite uses H2:
> * [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> store data in H2 and thus there can be no H2 backups in Ignite.
> * [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> support the {{CREATE ALIAS}} statement
> * [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/]
> This vulnerability is not applicable to H2 in Ignite since Ignite uses H2
> version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and
> up to 2.0.202.
> * [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/]
> This vulnerability is not applicable to H2 in Ignite since Ignite runs H2 in
> embedded mode. H2 cannot be externally exposed in embedded mode. The
> vulnerability could be exploited on the local machine where Ignite is
> running. However, this limits the severity a lot.
> * [CVE-2021-42392|https://www.cvedetails.com/cve/CVE-2021-42392/]
> This vulnerability is not applicable to H2 in Ignite since Ignite does not
> use and does not expose the {{org.h2.util.JdbcUtils.getConnection}} method.
> We realize all those vulnerabilities are not applicable to H2 in Apache
> Ignite. However, our security policies are very formal and require somehow
> addressing the security vulnerabilities anyway.
> We believe there are lots of other enterprises having the same issue. For
> example, there is another issue IGNITE-14381 referencing the same problem.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
