CVE-2018-10054

Name of the Vulnerable Software and Affected Versions: H2 versions 1.4.197 Datomic versions prior to 0.9.5697 Bamboo Data Center and Server versions 9.1.0 through 9.4.0

Description: The issue allows remote code execution because the CREATE ALIAS command can execute arbitrary Java code. This can be exploited by an authenticated attacker to expose assets in the environment, which has a high impact on confidentiality, integrity, and availability. The vendor's position is that H2 is not designed to be run outside of a secure environment.

Recommendations: For H2 version 1.4.197, consider disabling the CREATE ALIAS command until a patch is available. For Datomic versions prior to 0.9.5697, upgrade to version 0.9.5697 or later. For Bamboo Data Center and Server version 9.2, upgrade to a release greater than or equal to 9.2.8. For Bamboo Data Center and Server version 9.3, upgrade to a release greater than or equal to 9.3.6. For Bamboo Data Center and Server version 9.4, upgrade to a release greater than or equal to 9.4.2.