WSO2 Platform Security
||
Skip to end of metadata
Go to start of metadata

WSO2 impacted: No

Evidence of compromise: No

Customers actions required: No


Reported Vulnerability

H2 Console in versions from 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI [1][2].


WSO2 Clarification

H2 Console is by default disabled in WSO2 Products, also we do not recommend enabling this feature in production deployments [3][4][5]. Furthermore, for the issue to be exploitable "webAllowOthers" should be set, which is also not recommended Therefore, WSO2 customers are not affected by this issue.

In case if you have enabled the H2 console for any reason, please make sure to disable the H2 console.


References

[1]. https://nvd.nist.gov/vuln/detail/CVE-2021-42392 

[2]. https://github.com/advisories/GHSA-h376-j262-vhq6 

[3]. https://is.docs.wso2.com/en/latest/setup/changing-to-remote-h2/

[4]. https://is.docs.wso2.com/en/latest/setup/browsing-the-h2-database/

[5]. https://is.docs.wso2.com/en/latest/setup/working-with-databases/

  • No labels
||