We don't recommend using H2 database for production environments.

By default, the H2 database is not used anywhere directly. It is only accessed through JCR and JackRabbit APIs and it is embedded within a JVM running Magnolia without being open to outside access, thus offering nearly no opportunity for a potential attacker to exploit it.

H2 database issues in versions 1.4.199 and 1.4.200

Magnolia releases 5.5.16, 5.6.13, 5.7.6 and 6.1.3 came with H2 database update from version 1.4.192 to 1.4.199 due to a known security issue. Unfortunately, it was found out later on that version 1.4.199 is suffering from a consistency issue (https://github.com/h2database/h2database/issues/2139) and while a fix for it has been released with H2 1.4.200, this version introduces another issue (https://github.com/h2database/h2database/issues/2204), which may affect the structure of tables and the ability of H2 to read previously stored data.

To keep your systems and data secure, we recommend that you consider taking the following measures:

  • Avoid using H2 in version 1.4.199, the main source of the issues.

  • If you are still running version 1.4.192, don't upgrade to any of the maintenance releases mentioned, that is 5.5.16, 5.6.13, 5.7.6 or 6.1.3, depending on which Magnolia branch you are using.
    Wait for the next maintenance release that will ship with a version higher than 1.4.199. Since the 5.5 Magnolia branch has reached End of Life, migrate to a higher branch. Currently, there are no additional maintenance releases planned for the 5.5 branch.

    Additionally, ensure that the H2 database is not exposed through your custom code modifications. Your installation will then not be affected by the uncovered security issue. Especially, please ensure that the DB is not exposed via your custom code modifications, for example by accessing the DB directly and exposing a query or by other payload going to it through your application directly. If you adhere to these recommendations, your installation will not be affected by the security issue.

  • If you have already upgraded to 1.4.199, downgrading is not possible due to upstream data structure changes that are incompatible with previous versions. Try updating to version 1.4.200 and see if you experience any issues. If you do come across some issues after the upgrade, contact our support.

  • If you are using H2 only in development, you can:

    • Delete the local database and downgrade to version 1.4.192.
      or
    • Switch to another database, for example Derby, and reinstall your local installation.
  • No labels