CVE-2022-45868¶
WSO2 Products impacted: no
Customers actions required: no
REPORTED VULNERABILITY¶
The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword
, which allows the user to specify the password in cleartext for the web admin console. Therefore, a local user is able to access the password by listing the processes and their arguments 1.
REPORTED PRODUCTS¶
- WSO2 API Manager : 4.2.0, 4.1.0, 4.0.0, 3.2.0, 3.1.0, 3.0.0
- WSO2 Open Banking AM : 2.0.0, 1.5.0, 1.4.0
- Any other WSO2 products containing the H2 Database Engine before 2.2.220
WSO2 JUSTIFICATION¶
The vulnerability is reported when starting the H2 web based console using the CLI with a clear text password which is not applicable for WSO2 products.
Furthermore, the H2 web based console is disabled by default, and newer WSO2 product versions including APIM 4.2.0 onwards even removes deployment.toml
configuration option to enable/disable the H2 web console.
In addition, the CVE-2022-458681 is a disputed vulnerability and the project states the following:
This is not a vulnerability of H2 Console Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that.
CONCLUSION¶
Due to following key points,
- CVE-2022-458681 is a disputed CVE.
- H2 console has been disabled by default in WSO2 products.
- Vulnerability is reported when starting the H2 web based console using the CLI which is never applicable to WSO2 products.
- Upgrading to a H2 version that is not flagged for this vulnerability requires backward incompatible changes to the product. This requires users of WSO2 products to perform a data migration, when the vulnerability itself can never affect security of WSO2 products.
Therefore, WSO2 concludes that this is not an exploitable vulnerability in WSO2 products, and an H2 update will not be performed due to CVE-2022-458681.