CVE-2021-23463

WSO2 Products impacted: no

Customers actions required: no


REPORTED VULNERABILITY

This vulnerability in the H2 database engine allows XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcResultSet.getSQLXML() method 1.

REPORTED PRODUCTS

  • WSO2 API Manager : 3.2.0
  • Any other WSO2 products containing the H2 Database Engine from 1.4.198 and before 2.0.202

WSO2 JUSTIFICATION

In H2 databases, as the 1.x versions are not compatible with 2.x database file formats and since this upgrade will introduce syntax changes to current database scripts, the existing H2 databases would need a data migration. Hence this is a backward incompatible change and would mean a mandatory data migration in the databases of existing users. Due to these concerns we are publishing this CVE justification with our in depth analysis of the CVE, detailing how associated risks are mitigated in WSO2 products and actions WSO2 is taking regarding the CVE, even though we will not be upgrading the H2 version in APIM due to earlier mentioned architectural and migration challenges.

However, the specific method that could be exploited, org.h2.jdbc.JdbcResultSet.getSQLXML(), is not utilized within WSO2 products, including WSO2 API Manager 3.2.0.

The lack of reliance on this vulnerable method within our product effectively mitigates any associated risk. Additionally, the H2 database engine is not exposed externally in WSO2 product deployments, further reducing any potential impact of this vulnerability.

Additionally, we have already upgraded the H2 database to non-vulnerable 2.x versions in APIM 4.1.0 and above. Therefore, APIM 4.1.0 and above do not include the affected version of H2 dependency. We recommend migrating to APIM version 4.1.0 or above to avoid detection by automated scanners.

CONCLUSION

  • The vulnerable method is not used in our products.
  • Upgrading to a H2 version that is not flagged for this vulnerability requires backward incompatible changes to the product. This requires users of WSO2 products to perform a data migration, when the vulnerability itself can never affect security of WSO2 products.

Therefore, WSO2 concludes that this is not an exploitable vulnerability in WSO2 products, and an H2 update will not be performed due to CVE-2021-234631.

REFERENCES