CVE-2020-1963

Vulnerability

Overview

CVE-2020-1963 is a critical vulnerability in Apache Ignite, an in-memory data platform. The issue stems from the way Ignite integrates H2 database as part of its SQL distributed execution engine. H2 provides built-in SQL functions that, when accessible to an attacker, can be abused to read from and write to the filesystem on the server where Ignite is running. The vulnerability affects all Apache Ignite versions up to and including 2.8. [1][2]

Exploitation

An attacker needs the ability to execute arbitrary SQL queries against the Ignite cluster. This typically requires network access to the Ignite SQL endpoint and valid authentication credentials or a misconfigured endpoint that does not require authentication. Using specially crafted SQL statements that invoke H2 file system functions, the attacker can bypass the intended security boundaries of the database engine. The attack does not require any user interaction beyond the initial query submission. [2]

Impact

If successfully exploited, an attacker can read arbitrary files from the server's filesystem, potentially exposing sensitive configuration files, credentials, or application data. Additionally, the attacker can write files to the filesystem, which could lead to further compromise, such as planting malicious executables or overwriting critical system files. The vulnerability is rated with a CVSS score of 9.1 (Critical) due to the low complexity and high potential for data exfiltration or system compromise. [1]

Mitigation

The Apache Software Foundation has addressed this issue in Apache Ignite version 2.8.1. All users of versions 2.8 and earlier should upgrade to 2.8.1 immediately. For environments where SQL functionality is not required, the risk can be eliminated by removing the ignite-indexing.jar from the classpath. As a partial mitigation, running Ignite under a non-privileged operating system user can limit the scope of files an attacker could access or modify. [2]