2022-01-14 | Business Unit Water

On 6 January 2022, security researchers reported in a JFrog blog (JNDI-Related Vulnerability Discovered in H2 Database Console | JFrog) on a vulnerability in the H2 database console. On 10 January 2022, the associated CVE-2021-42392 (NVD - CVE-2021-42392) was published, the CVS score of which has not yet been calculated (state 2022-01-12). Due to the proximity to the known Log4Shell vulnerability, a critical classification is to be assumed, since external code can be executed without authentication with the rights of the service. This makes it possible to further reload malicious code and to spread viruses.

Some KISTERS-Water solutions use the H2 database but are not affected by this vulnerability. The results of the analysis can be found in the table below:



WISKI Standard Portal Applications + Standalone Portal

The H2 database is delivered by the portal as a jar and would run exclusively in embedded mode if activated. The console, which is affected by the security gap, is not part of the delivery. In addition, the TCP server is not started as access takes place exclusively via file access.


In TSM the H2 database is used internally, but only within the JVM from the queue server. Thus, TSM is not affected, because neither is H2 started as an independent process, nor are sockets provided and therefore no H2 console is offered.

WISKI-TSDI (As of the WISKI test version

For future TSDI "Time Series Data Import" H2 can be configured as an alternative for the format management and status tracker in the Oracle WISKI database.

  1. Oracle/MSSQL and not H2 is the default database when deploying TSDI via Server Manager.
  2. H2 runs on "embedded" mode and the "Console" is not activated.


The H2 database runs on "embedded" mode and the "Console" is not enabled

The H2 database will be updated to the latest compatible version in the future WISKI version 7.4.13.

Please reach out to your KISTERS contact if you have any questions.