A critical CVE has been discovered which impacts the H2 console

A critical CVE has been discovered at the beginning of 2022. This cve impacts only the H2 Console and allows an attacker to execute remote code. If the H2 console is used and exposed on the LAN (or worse, WAN) this issue is extremely critical (unauthenticated remote code execution) and it should be updated to version 2.1.210 immediately.

Impact

In bonita bundle ( runtime) h2console is not used but the jar is in bonita classpath ( server/lib/bonita), which means that a malicious user could develop a custom groovy script that activates h2Console. Once activated, the user can exploit it to call a remote ldap server

What should you do?

All versions before 2022.1-u1 are potentially vulnerable to the h2 cve and you must remove h2 jar (h2-1.4.199.jar) from the classpath ( bonita/server/lib/bonita) for all runtime platforms, production and non-production servers (as long as h2 is not the selected database)

The Bonita engine in Studio uses the h2 database, so this .jar file is needed. To keep this environment secure make sure it is not accessible from outside the LAN or WAN. 

Bonitasoft will release a fix for this vulnerability in the next maintenance version 2022.1-u1 for the subscription edition, and in 2022.2 for the community edition.