====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN313
_____________________________________________________________________

DATE                : 08/06/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Ignite versions prior to
                                            2.8.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202006.mbox/%3cCABDss3haniOVEutheV1dSvDXEmJ_ZN5FJARt1S=vM2ko024Zqg@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-1963: Apache Ignite access to file system through predefined H2
SQL functions


Severity: Critical


Vendor:
The Apache Software Foundation

Versions Affected:
All versions of Apache Ignite up to 2.8


Impact
An attacker can use embedded H2 SQL functions to access a filesystem for
write and read.


Description:
Apache Ignite uses H2 database to build SQL distributed execution
engine.
H2 provides SQL functions which could be used by attacker to access to a
filesystem.


Mitigation:
Ignite 2.8 or earlier users should upgrade to 2.8.1
In case SQL is not used at all the issue could be mitigated by removing
ignite-indexing.jar from Ignite classpath
Risk could be partially mitigated by using non privileged user to start
Apache Ignite.


Credit:
This issue was discovered by Sriveena Mattaparthi of ekaplus.com

-- 
Живи с улыбкой! :D


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================