Fix CVE-2017-11467: upgrade OrientDB 2.1.25 → 2.2.37#163
Draft
Fix CVE-2017-11467: upgrade OrientDB 2.1.25 → 2.2.37#163
Conversation
- Update orientdb.version from 2.1.25 to 2.2.37 in root pom.xml - Update orientdb.studio.version from 1.7.10 to 2.2.37 in root pom.xml - Remove OSimpleVersion import (removed in 2.2.x) from OrientDBRepoService.java - Replace new OSimpleVersion(ver) with plain int ver in delete call - Remove orientdb-enterprise dependency (merged into orientdb-core in 2.2.x) - Update studio packaging in openidm-zip/pom.xml (remove distribution classifier, update ant pattern for renamed studio zip) - Add --add-opens java.base/sun.nio.ch=ALL-UNNAMED for Java 17 + OrientDB 2.2.x - Update OrientDB version in legal/THIRDPARTYREADME.txt - Update OrientDB version in chap-install.adoc Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/e6262d96-e72c-4e30-ba23-7b7f86383e93 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/e6262d96-e72c-4e30-ba23-7b7f86383e93 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/e6262d96-e72c-4e30-ba23-7b7f86383e93 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Update OrientDB version to 2.2.23 and fix compilation errors
Fix CVE-2017-11467: upgrade OrientDB 2.1.25 → 2.2.37
Apr 17, 2026
…or OrientDB 2.2.37 OrientDB 2.2.37's OByteBufferPool uses reflection to access sun.nio.ch.DirectBuffer on Java 9+, causing InaccessibleObjectException and OSGi bundle startup failure without this JVM flag. Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/c25be698-8b4d-4aa8-90b7-5e7383c1edda Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…entdb-core 2.2.37 OrientDB 2.2.37's orientdb-core OSGi bundle has a mandatory Import-Package for javax.annotation.meta. The jsr305-3.0.2.jar is a proper OSGi bundle (with Export-Package: javax.annotation.meta;version=3.0.2) and satisfies this dependency, fixing the bundle resolution failure at startup. Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/9e4dae20-6edb-4e09-b8a0-a55afa3a268d Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
1. Fix Windows path bug in EmbeddedOServerService.java: use
dbURL.substring(indexOf(':') + 1) instead of split(":")[1] so that
Windows paths like plocal:D:/a/.../db/openidm are parsed correctly.
The old code returned just "D" (the drive letter), making ORIENTDB_HOME
resolve to <openidm_dir>\D rather than the real DB path.
2. Set ORIENTDB_HOME to the OpenIDM working directory (not the DB
directory). OrientDB 2.2.37 resolves ${ORIENTDB_HOME}/config/security.json
using the ORIENTDB_HOME system property.
3. Add openidm-zip/src/main/resources/config/security.json with minimal
content. OrientDB 2.2.37's ODefaultServerSecurity.loadConfig() logs a
SEVERE (→ ERROR via JUL-to-SLF4J bridge) when security.json is absent.
The CI checks (! grep "ERROR" openidm0.log.0 on Linux;
find /c '"ERROR"' | findstr "0" on Windows) both fail on that ERROR.
Providing the file prevents the SEVERE from being logged.
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/a183a4b3-cd51-4122-be8c-24826ee2caec
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
OrientDB 2.2.37 calls fdatasync() after every cluster/schema change via STORAGE_CONFIGURATION_SYNC_ON_UPDATE (default true) and on every WAL page flush via WAL_SYNC_ON_PAGE_FLUSH (default true). As the schema grows with each new class, the storage-config rewrite becomes progressively larger: - Each addCluster() rewrites the full cluster list and calls fsync() - N classes = O(N²) total I/O work On Linux, fdatasync() is much slower than on Windows (Windows uses async I/O that batches writes). With 30 OrientDB classes to create, this turned the initial schema initialization into a 3+ minute operation, exceeding the CI 3-minute timeout. Fix: temporarily set both flags to false for the duration of populateSample(), then restore the originals in a finally block. This makes schema creation as fast on Linux as on Windows while preserving full durability guarantees for all normal operations. Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/24ca770d-f1c1-4b56-bdfb-08182ce5f0a1 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
The previous fix (moving STORAGE_CONFIGURATION_SYNC_ON_UPDATE and WAL_SYNC_ON_PAGE_FLUSH into populateSample) was insufficient because both flags are applied AFTER the storage is opened. The background WAL flush thread (OWriteAheadLog) starts at storage-open time and calls fdatasync() every WAL_COMMIT_TIMEOUT ms (default 1 s) on a WAL that grows with each new cluster. This background flush is not gated by WAL_SYNC_ON_PAGE_FLUSH, so the O(N²) behaviour persisted. Root cause: USE_WAL is read once when OLocalPaginatedStorage is created. It must therefore be set to false BEFORE db.create() to prevent the WAL and its background flush thread from being started at all. Changes: - Move all OGlobalConfiguration tuning into checkDB(), before the ODatabaseDocumentTx object is used (db.exists() only probes, no storage is opened at that point). - For a new DB (!exists): also set USE_WAL=false so no WAL is created. The storage is closed cleanly at the end of checkDB (dirty-page flush by the disk cache), leaving a consistent state for the subsequent pool open which restores USE_WAL=true. - For an existing DB: keep WAL intact; only suppress the config-sync and WAL-page-flush flags so crash recovery is preserved. - Simplify populateSample(): remove the now-redundant OGlobalConfiguration manipulation added in the previous commit. Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/0d744d44-9f47-4fc9-a96b-7e4b970b4405 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…al config changes Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/0d744d44-9f47-4fc9-a96b-7e4b970b4405 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/87291598-a1ab-411f-b8be-5db8082517ee Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/c55459c6-65fa-4b6a-9758-1a119885cd8b Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/2697efbe-f205-41fb-b223-39c4acd14d87 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/7d89670b-1ac9-4cc9-923f-076b70cc30dd Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
… disable WAL Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/968669f2-52c9-4666-a39c-413f6bb5793c Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…l O(N²) culprit Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/6cf680a8-460e-4942-b2f1-7615e8d1cd69 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Run 24614826683 on
309618da3f(the previous WAL-disable fix) showed the same O(N²) timing pattern (link 7s → relationships 19s → synchronisation_pooledSyncStage 66s → next class killed). So disabling WAL was not the actual remedy.Real root cause
OrientDB 2.2.37 has
STORAGE_MAKE_FULL_CHECKPOINT_AFTER_CLUSTER_CREATE = trueby default. After everyaddCluster()call (i.e. every class/index creation), it performs a full storage checkpoint — fsync()'ing every cluster file plus the WAL. As clusters accumulate, each checkpoint scans/syncs all previously-created clusters, producing the classic O(N²) total cost. On Linux/macOS wherefdatasync()is expensive, this turns ~30 schema classes into 5+ minutes; on Windows the same code is fast because NTFS batches writes.Fix
In
DBHelper.checkDB, additionally disable for the schema-setup window:STORAGE_MAKE_FULL_CHECKPOINT_AFTER_CLUSTER_CREATE(the dominant cost)STORAGE_MAKE_FULL_CHECKPOINT_AFTER_CREATESTORAGE_MAKE_FULL_CHECKPOINT_AFTER_OPENOriginals are captured before and restored in the existing
finallyblock. The WAL flags and the comment block are kept — they were not harmful, just insufficient.All three flag names verified to exist in OrientDB 2.2.x source (
storage.makeFullCheckpoint{AfterCreate,AfterOpen,AfterClusterCreate}).Tasks
STORAGE_MAKE_FULL_CHECKPOINT_AFTER_CLUSTER_CREATE(+ AFTER_CREATE / AFTER_OPEN) for schema setup; restore infinallyOriginal prompt
This pull request was created from Copilot chat.