Thanks for the reply! I understood that the console is just for debugging/development. I am using H2 on IoT devices and sometimes (rarely) there is the need to access the H2 console remotely. I can enable and disable the console only when needed. But, even for that short time the server is up, I still want it to be as secure as possible. The other mitigations presented in the advisory are not applicable in our setting, so if possible I still want to use that option.
Hence, I have a further question: is H2 runtime depending on other classes than org.h2.*? Will such an option break something? Il giorno martedì 11 gennaio 2022 alle 13:04:46 UTC+1 Evgenij Ryazanov ha scritto: > Hello. > > You don't need any mitigations if you use H2 correctly. If you use H2 > Console, it must be either not available from external network (by default > only connections from localhost are accepted), or it must be protected in > some other way, a possible way is described in documentation and advisory. > If you don't use it, you shouldn't start it within your application. H2 > database by itself is not affected by this vulnerability, only the H2 > Console is. > > This option can also be used to prevent all attempts to use data sources > in H2 Console, but you need to protect it anyway. This is a tool for > developers, it shouldn't be available for unauthorized or untrusted users. > -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/h2-database/d8964e25-a136-4976-9837-e10e6ee9cf76n%40googlegroups.com.
