CVE-2021-42392

WSO2 Products impacted: No

Customers actions required: No

REPORTED VULNERABILITY

H2 Console in versions from 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI12.

WSO2 JUSTIFICATION

H2 Console is by default disabled in WSO2 Products, also we do not recommend enabling this feature in production deployments345. Furthermore, for the issue to be exploitable webAllowOthers should be set, which is also not recommended. Therefore, WSO2 customers are not affected by this issue.

In case if you have enabled the H2 console for any reason, please make sure to disable the H2 console.

REFERENCES

  1. https://nvd.nist.gov/vuln/detail/CVE-2021-42392 

  2. https://github.com/advisories/GHSA-h376-j262-vhq6 

  3. https://is.docs.wso2.com/en/latest/setup/changing-to-remote-h2/ 

  4. https://is.docs.wso2.com/en/latest/setup/browsing-the-h2-database/ 

  5. https://is.docs.wso2.com/en/latest/setup/working-with-databases/