A critical vulnerability has been discovered in the third-party tool h2 database (all releases prior to 2.0.206) used by both the Console front-end package and the Node back-end package:
The h2 database is used by all 1.x releases of Console/Node (2.x releases do not use the h2 database) and therefore all 1.x releases are impacted by this CVE. See also https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/.
Updates to Console/Node packages
CAST does NOT intend to provide a new release of Console 1.x that includes a new release of h2 database that includes the fix for this CVE. This is because the releases of h2 database that include the CVE fix are not compatible with the release of h2 database that CAST uses, and therefore a full database migration would be necessary with all the risk associated with it.
What you can do to prevent the vulnerability from being exploited
To mitigate the risk posed by this CVE, you should perform the following actions.
Disable and prevent access to the h2 database UI console
First locate the following property files in your deployment:
In these property files, locate the following section:
Now ensure that the following line is set to false - this should already be the case since this property is set to false out of the box. This property (when set to false) disables the h2 database web based console which is the most severe attack vector for this CVE:
Then add a new line in the section as follows. This property ensures that the h2 database web based console (if enabled) can only be accessed by localhost (not other devices on the LAN):
Finally, restart the following to ensure the change is taken into account:
- Console front-end
- All Node back-ends
If you need to have access to the h2 database UI console, you should enable authentication on it by adding the property
spring.h2.console.settings.web-admin-password in the Console/Node property files and setting it to a value you want to use to protect the h2 Console.
Other mitigation tactics include updating the JRE/JDK installed on the host servers for use by Console and all Nodes, to include a check called
trustURLCodebase that prevents loading remote codebases from JNDI. This update has been added in:
- Java 8 update 191
- Java 11.0.1
trustURLCodebase property should be set to false and you can do this by adding
-DtrustURLCodebase=false to the Console and Node bat files used to launch the services: