CVE-2021-42392¶
WSO2 Products impacted: No
Customers actions required: No
REPORTED VULNERABILITY¶
H2 Console in versions from 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI12.
WSO2 JUSTIFICATION¶
H2 Console is by default disabled in WSO2 Products, also we do not recommend enabling this feature in production deployments345. Furthermore, for the issue to be exploitable webAllowOthers
should be set, which is also not recommended. Therefore, WSO2 customers are not affected by this issue.
In case if you have enabled the H2 console for any reason, please make sure to disable the H2 console.