Release 0.9.5697 fixes two security vulnerabilities in Datomic On-Prem transactors running the free: or dev: storage protocol.
The transactor running the free: or dev: storage protocol currently:
- runs a JDBC server and an H2 web console that are accessible by remote clients
- has admin and datomic JDBC users with default passwords
This can allow unauthorized users to access data, and, via the H2 SQL ALIAS command, execute arbitrary Java code.
What You Need To Do
If you are running free: or dev: storage, you need to upgrade as soon as possible. Log into my.datomic.com and download version 0.9.5697 for immediate installation. For any help or additional questions please contact our support team.
All other storages are unaffected.
What Has Changed
Release 0.9.5697 makes the following changes to free: and dev: transactors:
- Transactors no longer run an H2 console under any configuration.
- By default, the JDBC server is now open only to connections on the same computer.
- To open the JDBC server to external connections, you must explicitly enable it via a property setting and also set passwords for the ‘admin’ and ‘datomic’ users.
- To connect from non-local peers, the peers must now supply the password (for the ‘datomic’ user) in the connection URI
The Configuring Embedded Storage documentation describes the new configuration options in more detail.
The Datomic team would like to thank Caio Vargas, Matheus Bernardes, and Nubank for reporting this issue.