CVE-2022-23221

WSO2 Products impacted: no

Customers actions required: no


REPORTED VULNERABILITY

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring 1.

REPORTED PRODUCTS

  • WSO2 API Manager : 3.2.0
  • Any other WSO2 products containing the H2 Database Engine before 2.1.210

WSO2 JUSTIFICATION

In H2 databases, as the 1.x versions are not compatible with 2.x database file formats and since this upgrade will introduce syntax changes to current database scripts, the existing H2 databases would need a data migration. Hence this is a backward incompatible change and would mean a mandatory data migration in the databases of existing users. Due to these concerns we are publishing this CVE justification with our in depth analysis of the CVE, detailing how associated risks are mitigated in WSO2 products and actions WSO2 is taking regarding the CVE, even though we will not be upgrading the H2 version in APIM due to earlier mentioned architectural and migration challenges.

In the latest versions of WSO2 API Manager (4.2.0 and above), we have disabled the H2 console by default and removed the option to enable it altogether. In previous versions, the console could be enabled but was only accessible via localhost, which required a malicious actor to gain access to the server container or host to exploit any vulnerabilities.

Even with WSO2 API Manager versions before 4.2.0, the default configuration of the H2 Console in WSO2 API Manager mitigates this risk by ensuring that the console is inaccessible from external sources. Furthermore, all database calls related to the H2 database occur internally within the product. All DB connection URLs are securely fetched from system configurations, which are accessible exclusively to admin users with high-privileged access. Additionally, we have implemented validation logic for JDBC connection URLs to prevent exploitation through the substrings mentioned in the CVE. We have already restricted INIT connection settings in JDBC connection strings through the below fixes[1], [2], [3] for security advisory WSO2-2021-1259 and with[4] as part of security advisory WSO2-2023-3084. Hence there is no possibility to exploit substring in a JDBC connection URL within API Manager.

As a result of this analysis we have concluded that this vulnerability does not negatively impact security of WSO2 API Manager 3.2.0.

Additionally, we have already upgraded the H2 database to non-vulnerable 2.x versions in APIM 4.1.0 and above. Therefore, APIM 4.1.0 and above do not include the affected version of H2 dependency. We recommend migrating to APIM version 4.1.0 or above to avoid detection by automated scanners.

CONCLUSION

  • The H2 Console is not enabled or exposed externally in WSO2 products by default.
  • Access to the console, even when enabled, was restricted to localhost, requiring attackers to have server-level access.
  • Upgrading to a H2 version that is not flagged for this vulnerability requires backward incompatible changes to the product. This requires users of WSO2 products to perform a data migration, when the vulnerability itself can never affect security of WSO2 products.

Therefore, WSO2 concludes that this is not an exploitable vulnerability in WSO2 products, and an H2 update will not be performed due to CVE-2022-232211.

REFERENCES