Thanks. Is there any timeline when this ticket would be picked up and fixed? Thanks.
Regards, Marcus From: [gridgain.com] Stephen Darlington <stephen.darling...@gridgain.com> Sent: Friday, January 14, 2022 5:41 PM To: user Subject: Re: h2 vulnerabilities This Message is From an External Sender This message came from outside of your organization. There are already tickets about this, IGNITE-14845<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-14845__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGDoFOdHw$> for example. Note that at least two of the CVEs you list are not exposed in Ignite (IGNITE-10801<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/IGNITE-10801__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwHIM9Q65g$>). On 14 Jan 2022, at 09:22, Lo, Marcus <marcus...@citi.com<mailto:marcus...@citi.com>> wrote: Hi, The current Ignite (v2.11) has h2 v1.4.197 as dependencies, which is subject to the following vulnerabilities. Is there any plan to update to a newer version? Given the currently heightened security awareness, it would be very difficult to make the case to use the current version of Ignite due to corporate security policy. Thanks. CVE-2021-23463 (BDSA-2021-3744) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwGjAwibOw$> CVE-2018-10054 (BDSA-2018-1048) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFWll5Yeg$> BDSA-2022-0048 (H2 Database Vulnerable to Remote Code Execution (RCE) via Unsafe JNDI Class Loading Functionality) https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6<https://urldefense.com/v3/__https:/github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwG-zOS-nQ$> https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/<https://urldefense.com/v3/__https:/jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwEF2nROZw$> CVE-2018-14335 (BDSA-2018-2507) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335__;!!Jkho33Y!3wbKrzcRpXvgGwCa17DtLY7yxVONs-YZKM07uCG7tW_SPH4er0aTzwFrrDF2-A$> Regards, Marcus
