Hello,
been thinking long and hard if it's worth mentioning this, but I've decided that if not for credit then to inform at the very least. ekaplus.com did not discover this vulnerability and I do not believe they should be linked anywhere as the ones who discovered it. The person who reported it, sure, but I do not believe that their website should be linked anywhere. Me and my team discovered this vulnerability and informed ekaplus about it as we believed them to be affected. It was unfortunate but not the end of the world that they reported it before we did. I simply dislike that they get free advertisement for something that they had no hand in. Kind regards. On 2020/06/03 10:31:36, Юрий wrote: > Hi All,> > > Apache Ignite 2.8.1 has been released. The release contain fix of critical> > vulnerability> > > CVE-2020-1963: Apache Ignite access to file system through predefined H2> > SQL functions> > > Severity: Critical> > > Vendor:> > The Apache Software Foundation> > > Versions Affected:> > All versions of Apache Ignite up to 2.8> > > Impact> > An attacker can use embedded H2 SQL functions to access a filesystem for> > write and read.> > > Description:> > Apache Ignite uses H2 database to build SQL distributed execution engine.> > H2 provides SQL functions which could be used by attacker to access to a> > filesystem.> > > Mitigation:> > Ignite 2.8 or earlier users should upgrade to 2.8.1> > In case SQL is not used at all the issue could be mitigated by removing> > ignite-indexing.jar from Ignite classpath> > Risk could be partially mitigated by using non privileged user to start> > Apache Ignite.> > > Credit:> > This issue was discovered by Sriveena Mattaparthi of ekaplus.com> > > -- > > Живи с улыбкой! :D> >
