Siteminder AdminUI modules directory contains a h2 JAR vulnerable to CVE-2018-10054, CVE-2021-42392, CVE-2022-23221
Automated security scanning has flagged the JAR file at path $INSTALL_DIR/modules/system/layers/base/com/h2database/h2/main/h2-1.3.173.jar to be vulnerable to the above mentioned CVEs.
Customer would like to understand is there a newer version of the AdminUI and/or a newer version of the JAR? Alternatively, we do not use any database connectivity in our environment, can we just delete the JAR? Please advise as to the correct remediation.
Any supported Single Sign-On (siteminder) environment.
We are not vulnerable to this reported issue. The issue is only when the H2 Console application is used. We do not ship/use it.
We have received below Inputs from SE Engineering team regarding this issue:
- If we are vulnerable to the reported issue, the customer would like to know, Is there a newer version of the AdminUI and/or a newer version of the JAR that helps to remediate the reported issue?
[SE]: Not applicable as we are not vulnerable.
- If we are NOT vulnerable, kindly explain to us why we need to remove/delete the h2 jar from AdminUI?
[SE]: We did not want to remove this jar. But as reported by the security team this is getting flagged in scan, hence we want to say that AdminUI is not using that jar and you can remove it if you want to.
- We do understand that we can remove/delete this h2 JAR file from the AdminUI If we do not use any database connectivity in our environment but what if we use database connectivity in any customer's environment?
[SE]: The jar is only related to the H2 database driver that comes as part of JBoss application server. AdminUI does not use this jar for database connectivity, so unless the customer has done some customization removing this jar will not have any impact on database connectivity.
If you would like to remove this h2 jar from your environment even though we are NOT vulnerable to the reported vulnerabilities then follow the below Instructions and TEST this in a LOWER TEST Environment before moving further.
- Steps for removing the h2 jar and references:
1. Take a backup of the folder $INSTALL_DIR/modules/system/layers/base/com/h2database to a different location.
2. Remove the folder $INSTALL_DIR/modules/system/layers/base/com/h2database
3. Remove the references of h2 in $INSTALL_DIR/standalone/configuration/standalone-full.xml
a. Remove the ExampleDS datasource under datasources tag (i.e. remove the following lines)
<datasource enabled="true" jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" use-java-context="true">
b. Remove the h2 driver entry under drivers tag (i.e. remove the following lines)
<driver module="com.h2database.h2" name="h2">
4. Remove folders other than auth folder under $INSTALL_DIR/standalone/tmp