Security vulnerability in H2 database module

[Ahmet Sait]

Hi, 

I have become aware of a security vulnerability in the H2 database module of WildFly, and I am concerned about the security implications for my application.

I understand that WildFly has not yet released an update or patch for this vulnerability, and I am wondering if there is any action I can take to mitigate the risk. Specifically, I am considering removing the H2 database module from WildFly to prevent the vulnerability from being exploited, but I am not sure if this will cause any issues with my application's functionality.

Can you please provide any guidance or advice on how to address this issue? I appreciate any help you can offer.

Thank you.

[Claudio Weiler]

I would say that you are safe if your application isn't using H2, as WF classloading do not expose this module to the application.

But I'm also interested if it's doable (and a good "how to") to safely remove H2 module.

[Darran Lofthouse]

There are two vulnerabilities reported against H2 that we know about, please let me know if you are seeing anything else reported.

https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685

https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-3146851

These are not applicable to WildFly as we don't make the console available.  In both cases even for users using H2 themselves and exposing the console the first is dependent on unauthenticated public access being enabled where TBH if you are going to advertise your database to the world you have bigger issues, the second was in relation to a command line argument which users can use to start the console and the vendor has not accepted it is a vulnerability as users should know better than to pass passwords in as command line arguments.