SpringBoot Allow Spring Boot 2.5 and 2.6 to work with H2 version 2.0.202

A vulnerability (CVE-2021-23463: https://nvd.nist.gov/vuln/detail/CVE-2021-23463) was discovered in h2 database and it is said to be fixed in version 2.0.202. However, Spring Boot 2.4.13, 2.5.7 and 2.6.1 use 1.4.200 version of h2 by default. Since the new version seems to be a major release, the question arises - is h2:2.0.202 compatible with Spring Boot 2.4.13, 2.5.7 and 2.6.1?

Comment From: nathan-wanono

Hi,

I just tested on my current project to force the H2 version t 2.0.202 using the following property : <h2.version>2.0.202</h2.version>

Actually, Spring Batch does not work with this version of H2 database : the database is never initialized. I tryed to force it using the spring.batch.jdbc.initialize-schema=always property (also tryed with embedded). I also tryed to do a manual initilization using the classpath scripts but they are not compatible aswell.

Spring version: 2.6.1

Comment From: andifalk

This also has issues with using Flyway DB in spring boot with detecting H2 mode correctly. Spring Boot would need to upgrade dependency to flywaydb at least to version 8.2.2 See https://flywaydb.org/documentation/learnmore/releaseNotes#8.2.2

Comment From: philwebb

@meier-th We plan to upgrade to the latest H2 release in Spring Boot 2.7. Generally we only upgrade dependencies to their latest patch releases in a Spring Boot patch release. There is some discussion on the H2 issue tracker about the CVE and if the fix can be backported. Have you tried upgrading manually?

@nathan-wanono I don't know if you're facing an issue in Spring Boot or Spring Batch. Could you please open a new issue and if possible provide a sample that shows initialization failing?

@andifalk We'll be upgrading to Flyway 8.2 (or newer) in Spring Boot 2.7. Have you tried overriding the flyway version in your Maven or Gradle file? I'd be interested to know if they are compatible.

Comment From: philwebb

I'll close this one for now. I don't think we can upgrade our managed dependency, but if other folks find compatibility issues that we can solve in Spring Boot 2.5 or 2.6 please comment here.

Comment From: subes

H2 2.x.x has a ...;MODE=LEGACY jdbc option which makes spring batch (which is included in spring boot) work properly: http://www.h2database.com/html/features.html SpringBoot Allow Spring Boot 2.5 and 2.6 to work with H2 version 2.0.202

Comment From: hpoettker

As far as I can tell, there is nothing in Spring Boot itself (expect for some test schemas) that needs to be changed for compatibility with H2 2.0.x . But some dependencies will need to be updated:

Flyway as @andifalk noted above.
Spring JDBC: https://github.com/spring-projects/spring-framework/pull/27870
Spring Batch: https://github.com/spring-projects/spring-batch/pull/4043
r2dbc-h2: https://github.com/r2dbc/r2dbc-h2/pull/204

Spring JDBC and Spring Batch can be adjusted to work with both 1.4.x and 2.0.x interchangeably.