Re: [h2] CVE-2018-10054

[Evgenij Ryazanov]

This is not really a “hole” in H2, it is an unsafe non-default 
configuration that is used in some third-party products.

You have to enable remote access to H2 explicitly, but if you're doing it 
you should also set additional restrictions that suit your environment and 
needs. -ifExists can be used to prevent creation of new databases, security 
constraints can be used on a web server to limit access to H2 Console only 
to some authorized users, SSL can be enabled to encrypt the network layer.

I think we need more detailed description of configuration parameters with 
better security guidance. Unfortunately, this most likely will not reduce 
number of unsafe configurations significantly, because many people just use 
the first working example that was found somewhere in the Internet, but we 
can try.

-- 
You received this message because you are subscribed to the Google Groups "H2 
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to h2-database+unsubscr...@googlegroups.com.
To post to this group, send email to h2-database@googlegroups.com.
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.

Re: [h2] CVE-2018-10054

[Kerry Sainsbury]

Fair enough! That sounds to me like the hole that needs to be blocked.

On 10 August 2018 at 07:29, Delta  wrote:

> You need admin, but you can gain such privileges by just creating new db
> and for this you dont need to be admin.
>
> чт, 9 авг. 2018 г. в 22:21, Kerry Sainsbury :
>
>> I would say that it can be dealt with by the user already.
>>
>> 1. Apparently "Admin rights are required to execute this command"  --
>> therefore only give admin rights to users who should have them.
>> 2. Also, you can constrain the classes that can be loaded via
>> h2.allowedClasses
>> 
>>
>> Is that sufficient?
>>
>>
>> On 9 August 2018 at 21:44, Thomas Mueller Graf <
>> thomas.tom.muel...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> See the CVE: Datomic was fixed.
>>>
>>> Regards,
>>> Thomas
>>>
>>>
>>> On Thu, Aug 9, 2018 at 11:36 AM Thomas Mueller Graf <
>>> thomas.tom.muel...@gmail.com> wrote:
>>>
 Hi,

 > H2 1.4.197, as used in Datomic before 0.9.5697 and other products

 I think the point here is "as used in Datomic ... and other products".

 You could say that "bash" is vulnerable "as used in ". The
 problem to me seems not in H2, but in , that uses H2 in a way
 that is not secure.

 On Thu, Aug 9, 2018 at 11:32 AM Christian Jonigkeit <
 jonigk...@gmail.com> wrote:

> Is there a schedule for dealing with https://www.cvedetails.
> com/cve/CVE-2018-10054/ ?
>
> --
> You received this message because you are subscribed to the Google
> Groups "H2 Database" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to h2-database+unsubscr...@googlegroups.com.
> To post to this group, send email to h2-database@googlegroups.com.
> Visit this group at https://groups.google.com/group/h2-database.
> For more options, visit https://groups.google.com/d/optout.
>
 --
>>> You received this message because you are subscribed to the Google
>>> Groups "H2 Database" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to h2-database+unsubscr...@googlegroups.com.
>>> To post to this group, send email to h2-database@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/h2-database.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "H2 Database" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to h2-database+unsubscr...@googlegroups.com.
>> To post to this group, send email to h2-database@googlegroups.com.
>> Visit this group at https://groups.google.com/group/h2-database.
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "H2 Database" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to h2-database+unsubscr...@googlegroups.com.
> To post to this group, send email to h2-database@googlegroups.com.
> Visit this group at https://groups.google.com/group/h2-database.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "H2 
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to h2-database+unsubscr...@googlegroups.com.
To post to this group, send email to h2-database@googlegroups.com.
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.

Re: [h2] CVE-2018-10054

[Delta]

You need admin, but you can gain such privileges by just creating new db
and for this you dont need to be admin.

чт, 9 авг. 2018 г. в 22:21, Kerry Sainsbury :

> I would say that it can be dealt with by the user already.
>
> 1. Apparently "Admin rights are required to execute this command"  --
> therefore only give admin rights to users who should have them.
> 2. Also, you can constrain the classes that can be loaded via
> h2.allowedClasses
> 
>
> Is that sufficient?
>
>
> On 9 August 2018 at 21:44, Thomas Mueller Graf <
> thomas.tom.muel...@gmail.com> wrote:
>
>> Hi,
>>
>> See the CVE: Datomic was fixed.
>>
>> Regards,
>> Thomas
>>
>>
>> On Thu, Aug 9, 2018 at 11:36 AM Thomas Mueller Graf <
>> thomas.tom.muel...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> > H2 1.4.197, as used in Datomic before 0.9.5697 and other products
>>>
>>> I think the point here is "as used in Datomic ... and other products".
>>>
>>> You could say that "bash" is vulnerable "as used in ". The
>>> problem to me seems not in H2, but in , that uses H2 in a way
>>> that is not secure.
>>>
>>> On Thu, Aug 9, 2018 at 11:32 AM Christian Jonigkeit 
>>> wrote:
>>>
 Is there a schedule for dealing with
 https://www.cvedetails.com/cve/CVE-2018-10054/ ?

 --
 You received this message because you are subscribed to the Google
 Groups "H2 Database" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to h2-database+unsubscr...@googlegroups.com.
 To post to this group, send email to h2-database@googlegroups.com.
 Visit this group at https://groups.google.com/group/h2-database.
 For more options, visit https://groups.google.com/d/optout.

>>> --
>> You received this message because you are subscribed to the Google Groups
>> "H2 Database" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to h2-database+unsubscr...@googlegroups.com.
>> To post to this group, send email to h2-database@googlegroups.com.
>> Visit this group at https://groups.google.com/group/h2-database.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "H2 Database" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to h2-database+unsubscr...@googlegroups.com.
> To post to this group, send email to h2-database@googlegroups.com.
> Visit this group at https://groups.google.com/group/h2-database.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "H2 
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to h2-database+unsubscr...@googlegroups.com.
To post to this group, send email to h2-database@googlegroups.com.
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.

Re: [h2] CVE-2018-10054

[Kerry Sainsbury]

I would say that it can be dealt with by the user already.

1. Apparently "Admin rights are required to execute this command"  --
therefore only give admin rights to users who should have them.
2. Also, you can constrain the classes that can be loaded via
h2.allowedClasses


Is that sufficient?


On 9 August 2018 at 21:44, Thomas Mueller Graf  wrote:

> Hi,
>
> See the CVE: Datomic was fixed.
>
> Regards,
> Thomas
>
>
> On Thu, Aug 9, 2018 at 11:36 AM Thomas Mueller Graf <
> thomas.tom.muel...@gmail.com> wrote:
>
>> Hi,
>>
>> > H2 1.4.197, as used in Datomic before 0.9.5697 and other products
>>
>> I think the point here is "as used in Datomic ... and other products".
>>
>> You could say that "bash" is vulnerable "as used in ". The
>> problem to me seems not in H2, but in , that uses H2 in a way
>> that is not secure.
>>
>> On Thu, Aug 9, 2018 at 11:32 AM Christian Jonigkeit 
>> wrote:
>>
>>> Is there a schedule for dealing with https://www.cvedetails.
>>> com/cve/CVE-2018-10054/ ?
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "H2 Database" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to h2-database+unsubscr...@googlegroups.com.
>>> To post to this group, send email to h2-database@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/h2-database.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "H2 Database" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to h2-database+unsubscr...@googlegroups.com.
> To post to this group, send email to h2-database@googlegroups.com.
> Visit this group at https://groups.google.com/group/h2-database.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "H2 
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to h2-database+unsubscr...@googlegroups.com.
To post to this group, send email to h2-database@googlegroups.com.
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.

Re: [h2] CVE-2018-10054

[Thomas Mueller Graf]

Hi,

See the CVE: Datomic was fixed.

Regards,
Thomas


On Thu, Aug 9, 2018 at 11:36 AM Thomas Mueller Graf <
thomas.tom.muel...@gmail.com> wrote:

> Hi,
>
> > H2 1.4.197, as used in Datomic before 0.9.5697 and other products
>
> I think the point here is "as used in Datomic ... and other products".
>
> You could say that "bash" is vulnerable "as used in ". The
> problem to me seems not in H2, but in , that uses H2 in a way
> that is not secure.
>
> On Thu, Aug 9, 2018 at 11:32 AM Christian Jonigkeit 
> wrote:
>
>> Is there a schedule for dealing with
>> https://www.cvedetails.com/cve/CVE-2018-10054/ ?
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "H2 Database" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to h2-database+unsubscr...@googlegroups.com.
>> To post to this group, send email to h2-database@googlegroups.com.
>> Visit this group at https://groups.google.com/group/h2-database.
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups "H2 
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to h2-database+unsubscr...@googlegroups.com.
To post to this group, send email to h2-database@googlegroups.com.
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.

Re: [h2] CVE-2018-10054

[Thomas Mueller Graf]

Hi,

> H2 1.4.197, as used in Datomic before 0.9.5697 and other products

I think the point here is "as used in Datomic ... and other products".

You could say that "bash" is vulnerable "as used in ". The
problem to me seems not in H2, but in , that uses H2 in a way
that is not secure.

On Thu, Aug 9, 2018 at 11:32 AM Christian Jonigkeit 
wrote:

> Is there a schedule for dealing with
> https://www.cvedetails.com/cve/CVE-2018-10054/ ?
>
> --
> You received this message because you are subscribed to the Google Groups
> "H2 Database" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to h2-database+unsubscr...@googlegroups.com.
> To post to this group, send email to h2-database@googlegroups.com.
> Visit this group at https://groups.google.com/group/h2-database.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "H2 
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to h2-database+unsubscr...@googlegroups.com.
To post to this group, send email to h2-database@googlegroups.com.
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.

[h2] CVE-2018-10054

[Christian Jonigkeit]

Is there a schedule for dealing 
with https://www.cvedetails.com/cve/CVE-2018-10054/ ?

-- 
You received this message because you are subscribed to the Google Groups "H2 
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to h2-database+unsubscr...@googlegroups.com.
To post to this group, send email to h2-database@googlegroups.com.
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.