CVE-2022-42467

Name of the Vulnerable Software and Affected Versions Apache Isis versions prior to 2.0.0-M8

Description The h2 webconsole module is automatically made available when running in prototype mode, allowing direct queries to the database. To improve security, the capability to access the webconsole now requires explicit enablement by the developer using the isis.prototyping.h2-console.web-allow-remote-access configuration property. An additional safeguard, the isis.prototyping.h2-console.generate-random-web-admin-password configuration parameter, requires a randomly generated password for console access, which is printed to the log as webAdminPass: xxx. The h2 webconsole is never available in production mode.

Recommendations To resolve the issue, set the isis.prototyping.h2-console.web-allow-remote-access configuration property to true and the isis.prototyping.h2-console.generate-random-web-admin-password configuration parameter to false to revert to the original behavior. Alternatively, update to version 2.0.0-M8 or later, where the web console will be unavailable without setting the isis.prototyping.h2-console.web-allow-remote-access configuration. As a temporary workaround, consider restricting access to the h2 webconsole module until the issue is resolved.