Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade h2-mvstore to 2.1.214 to fix security issues #878

Closed
OneSizeFitsQuorum opened this issue Dec 9, 2024 · 2 comments
Closed

Upgrade h2-mvstore to 2.1.214 to fix security issues #878

OneSizeFitsQuorum opened this issue Dec 9, 2024 · 2 comments

Comments

@OneSizeFitsQuorum
Copy link

According to the vulnerability scanning results of OWASP, moquette has a very serious vulnerability, which is caused by its dependence on h2-mvstore 2.1.212.

h2-mvstore-2.1.212.jar
Description:

H2 MVStore
License:

MPL 2.0: https://www.mozilla.org/en-US/MPL/2.0/
EPL 1.0: https://opensource.org/licenses/eclipse-1.0.php
File Path: /home/runner/.m2/repository/com/h2database/h2-mvstore/2.1.212/h2-mvstore-2.1.212.jar
MD5: 5b7e0531b987702e172f0a29ffd06b11
SHA1: 504b3a66f0833bee8c2b928e02628df5040920ab
SHA256:5a40508e18753695e642dd0fb102bb7f057f8b38249d574df57f4013e83852c3
Referenced In Projects/Scopes:
IoTDB: Example: UDF:provided
IoTDB: Core: Data-Node (Server):compile
IoTDB: Client: CLI:compile
IoTDB: Core: ConfigNode:compile
IoTDB: Example: Trigger:provided
IoTDB: Example: Pipe: Count Point Processor:provided
IoTDB: Distribution:compile
IoTDB: Example: Customized MQTT:compile

Included by:
pkg:maven/org.apache.iotdb/iotdb-server@2.0.0-SNAPSHOT
pkg:maven/org.apache.iotdb/iotdb-server@2.0.0-SNAPSHOT
pkg:maven/org.apache.iotdb/iotdb-server@2.0.0-SNAPSHOT
pkg:maven/org.apache.iotdb/iotdb-server@2.0.0-SNAPSHOT
pkg:maven/org.apache.iotdb/iotdb-server@2.0.0-SNAPSHOT
pkg:maven/io.moquette/moquette-broker@0.17
pkg:maven/org.apache.iotdb/iotdb-server@2.0.0-SNAPSHOT
pkg:maven/org.apache.iotdb/iotdb-server@2.0.0-SNAPSHOT
Evidence
Identifiers
[pkg:maven/com.h2database/h2-mvstore@2.1.212](https://ossindex.sonatype.org/component/pkg:maven/com.h2database/h2-mvstore@2.1.212?utm_source=dependency-check&utm_medium=integration&utm_content=11.1.0)  (Confidence:High)
[cpe:2.3:a:h2database:h2:2.1.212:*:*:*:*:*:*:*](https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Ah2database&cpe_product=cpe%3A%2F%3Ah2database%3Ah2&cpe_version=cpe%3A%2F%3Ah2database%3Ah2%3A2.1.212)  (Confidence:Highest)  suppress
Published Vulnerabilities
[CVE-2022-45868](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45868)  suppress

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
CWE-312 Cleartext Storage of Sensitive Information

CVSSv3:
Base Score: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A

References:
af854a3a-2127-422b-91ae-364da2661108 - [EXPLOIT,THIRD_PARTY_ADVISORY](https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243)
af854a3a-2127-422b-91ae-364da2661108 - [THIRD_PARTY_ADVISORY](https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347)
cve@mitre.org - [EXPLOIT,THIRD_PARTY_ADVISORY](https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243)
cve@mitre.org - [THIRD_PARTY_ADVISORY](https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347)
Vulnerable Software & Versions:

[cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:* versions up to (including) 2.1.214](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Ah2database%3Ah2)

Does the community plan to upgrade the dependent version?
@OneSizeFitsQuorum OneSizeFitsQuorum mentioned this issue Dec 9, 2024
Closed
@hylkevds
Copy link
Collaborator

hylkevds commented Dec 9, 2024

The vulnerability you mentioned above is completely irrelevant for Moquette.
I would also not call it a "serious" vulnerability, since, as the description states:

NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

I agree with that.

Regardless, versions of most dependencies will probably be updated for the next release.

@andsel
Copy link
Collaborator

andsel commented Jan 2, 2025

Closed by #886

@andsel andsel closed this as completed Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andsel @hylkevds @OneSizeFitsQuorum