Possible mitigation for CVE-2021-42392

[Marcello Rinaldo Martina]

Is using the system option `-Dh2.allowClasses=org.h2.*` a suitable mitigation for the vulnerability detailed in https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6?

[Evgenij Ryazanov]

Hello.

You don't need any mitigations if you use H2 correctly. If you use H2 Console, it must be either not available from external network (by default only connections from localhost are accepted), or it must be protected in some other way, a possible way is described in documentation and advisory. If you don't use it, you shouldn't start it within your application. H2 database by itself is not affected by this vulnerability, only the H2 Console is.

This option can also be used to prevent all attempts to use data sources in H2 Console, but you need to protect it anyway. This is a tool for developers, it shouldn't be available for unauthorized or untrusted users.

[Marcello Rinaldo Martina]

Thanks for the reply!

I understood that the console is just for debugging/development. I am using H2 on IoT devices and sometimes (rarely) there is the need to access the H2 console remotely.

I can enable and disable the console only when needed. But, even for that short time the server is up, I still want it to be as secure as possible. The other mitigations presented in the advisory are not applicable in our setting, so if possible I still want to use that option.

Hence, I have a further question: is H2 runtime depending on other classes than org.h2.*? Will such an option break something?

[Evgenij Ryazanov]

If you have Java triggers or function aliases, database event listeners, table engines or use JAVA_OBJECT data type you need to list your classes in that setting. If you use org.locationtech.jts.geom.Geometry it also needs to be listed.

Otherwise, you don't need anything else to be included.

[Marcello Rinaldo Martina]

Thank you very much!

Best,

Marcello