NXRM3 version: 3.41.1-01
h2 DB: 1.4.200
Current version of h2 DB contains a few critical vulnerabilities:
It seems these are fixed in latest 2.0.206+ versions.
What’s the process to get this upgraded? Is this already tracked?
Regards,
Atharva
Atharva,
Thanks for your inquiry. We are aware of this dependency vulnerability via our continuous monitoring with Nexus Lifecycle.
We consider all dependency vulnerabilities to be potentially exploitable, and we have already queued them for remediation as a routine part of our development process. For the safety of our customers and users, we don’t disclose specific exploitability of this dependency vulnerability.
For more information on our processes, please see Repository Security Vulnerabilities.
If you haven’t already, you can subscribe to announcements of new releases and fixes for verified exploitable vulnerabilities via the Nexus Repository Pro announcements Google group.
Michael
Michael,
Thanks for the info. It wasn’t clear to me that the Pro announcement also applies to oss versions. I didn’t think Pro version used the h2 database.
Regards
Atharva
Hi @mprescott
When we can expect a fix for this? Tried with the latest image and even that has this H2 database and Hazelcast critical vulnerabilities.
Regards,
Suganth
I modified all h2-related version numbers in the configuration file to 2.0.206, and replaced the jar package of 2.0.206. I found that nexus can start normally after I modified it. What are the disadvantages of this to the existing system?
h2 1.4 and h2 2.x use incompatible storage formats.