WSO2 impacted: No
Evidence of compromise: No
Customers actions required: No
H2 Console in versions from 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI .
H2 Console is by default disabled in WSO2 Products, also we do not recommend enabling this feature in production deployments . Furthermore, for the issue to be exploitable "webAllowOthers" should be set, which is also not recommended Therefore, WSO2 customers are not affected by this issue.
In case if you have enabled the H2 console for any reason, please make sure to disable the H2 console.