Advice on CVEs of h2 version 1.3.171

Question

Using com.datomic/datomic-pro version "1.0.6362" brings in a transitive dependency on com.h2database/h2 version "1.3.171" (on-prem).

The latter suffers from various CVEs:

1. CVE-2021-23463
2. CVE-2021-42392
3. CVE-2022-23221

(c.f. mvnrepository.com/artifact/com.h2database/h2/1.3.171

1. Is a Datomic upgrade planned to resolve this?
2. If not and in the meantime, can you give any advice on how to deal with this? In particular:
3. Can you give detailed advice on whether these vulnerabilities actually do or do not constitute a security risk?
   3.1 Some of the CVEs mention h2 console as part of an attack vector, and I have heard this would not apply to Datomic. However, I have not found official information on this. Moreover, if I understood correctly, there are other attack vectors. Please advise.
   3.2 The first linked CVE is a SQLXML XXE. It seems like this would not apply as long as getSQLXML is not called, but this is just my impression and I do not know about usage in Datomic. Please advise.
4. Do you have any advice on overriding the h2 dependency with an h2 version not suffering from these CVEs, say version "2.1.210"? As this a major upgrade, I expect problems. In particular, I expect migrating existing h2 databases to be problematic.

Thank you very much for your assistance.

Answer 1

These CVEs should not affect your Datomic System.

We are continually adjusting our dependencies to account for security issues. I would not suggest trying to override this dependency on your own as it could cause issues with your system.

In the future I suggest creating a support ticket via support@cognitect.com. We have a 2 day response SLA for customers.