A critical vulnerability has been discovered in the third-party tool h2 database (all releases prior to 2.0.206) used by both the Console front-end package and the Node back-end package:
The h2 database is used by all 1.x releases of Console/Node (2.x releases do not use the h2 database) and therefore all 1.x releases are impacted by this CVE. See also https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/.
CAST does NOT intend to provide a new release of Console 1.x that includes a new release of h2 database that includes the fix for this CVE. This is because the releases of h2 database that include the CVE fix are not compatible with the release of h2 database that CAST uses, and therefore a full database migration would be necessary with all the risk associated with it.
To mitigate the risk posed by this CVE, you should perform the following actions.
First locate the following property files in your deployment:
Console: %PROGRAMDATA%\CAST\AipConsole\AipConsole\aipConsole.properties Node (if you have more than one Node, all Nodes must be taken into account): %PROGRAMDATA%\CAST\AipConsole\AipNode\aip-node-app.properties
In these property files, locate the following section:
# ============ # Datasource # ------------ spring.datasource.url=jdbc:h2:file:C:/Program Data/CAST/AipConsole/AipNode/db/aip_node_db;AUTO_SERVER=TRUE spring.datasource.username=sa spring.datasource.password= spring.datasource.driver-class-name=org.h2.Driver spring.jpa.database-platform=org.hibernate.dialect.H2Dialect spring.jpa.hibernate.ddl-auto=none spring.h2.console.enabled=false spring.h2.console.path=/h2
Now ensure that the following line is set to false - this should already be the case since this property is set to false out of the box. This property (when set to false) disables the h2 database web based console which is the most severe attack vector for this CVE:
Then add a new line in the section as follows. This property ensures that the h2 database web based console (if enabled) can only be accessed by localhost (not other devices on the LAN):
Finally, restart the following to ensure the change is taken into account:
If you need to have access to the h2 database UI console, you should enable authentication on it by adding the property
Other mitigation tactics include updating the JRE/JDK installed on the host servers for use by Console and all Nodes, to include a check called
trustURLCodebase that prevents loading remote codebases from JNDI. This update has been added in:
trustURLCodebase property should be set to false and you can do this by adding
-DtrustURLCodebase=false to the Console and Node bat files used to launch the services:
Console: start "AIP Console" /D "%CONSOLE_FOLDER%" java -jar -Xmx2048m -Xms1024m "bin/aip-console-app.jar" -DtrustURLCodebase=false Node: java -jar -Xmx2048m -Xms1024m "bin/aip-node-app.jar" -DtrustURLCodebase=false
|Note, however, that this mitigation is not possible if you are using Microsoft Windows services to run Console/Nodes.|