ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sriveena Mattaparthi <Sriveena.Mattapar...@ekaplus.com>
Subject RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability
Date Wed, 03 Jun 2020 14:03:36 GMT
Thanks, Could you please confirm when the analysis will be updated here for the CVE logged.
https://nvd.nist.gov/vuln/detail/CVE-2020-1963

Regards,
Sriveena

From: Юрий <jury.gerzhedowich@gmail.com>
Sent: 03 June 2020 16:02
To: dev <dev@ignite.apache.org>; user@ignite.apache.org; announce@apache.org; Apache
Security Team <security@apache.org>; Sriveena Mattaparthi <Sriveena.Mattaparthi@ekaplus.com>
Subject: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability

Hi All,

Apache Ignite 2.8.1 has been released. The release contain fix of critical vulnerability

CVE-2020-1963: Apache Ignite access to file system through predefined H2 SQL functions

Severity: Critical

Vendor:
The Apache Software Foundation

Versions Affected:
All versions of Apache Ignite up to 2.8

Impact
An attacker can use embedded H2 SQL functions to access a filesystem for write and read.

Description:
Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL
functions which could be used by attacker to access to a filesystem.

Mitigation:
Ignite 2.8 or earlier users should upgrade to 2.8.1
In case SQL is not used at all the issue could be mitigated by removing ignite-indexing.jar
from Ignite classpath
Risk could be partially mitigated by using non privileged user to start Apache Ignite.

Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0>

--
Живи с улыбкой! :D
“Confidentiality Notice: The contents of this email message and any attachments are intended
solely for the addressee(s) and may contain confidential and/or privileged information and
may be legally protected from disclosure. If you are not the intended recipient of this message
or their agent, or if this message has been addressed to you in error, please immediately
alert the sender by reply email and then delete this message and any attachments. If you are
not the intended recipient, you are hereby notified that any use, dissemination, copying,
or storage of this message or its attachments is strictly prohibited.”
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message