Allow Spring Boot 2.5 and 2.6 to work with H2 version 2.0.202

[meier-th]

A vulnerability (CVE-2021-23463: https://nvd.nist.gov/vuln/detail/CVE-2021-23463) was discovered in h2 database and it is said to be fixed in version 2.0.202.
However, Spring Boot 2.4.13, 2.5.7 and 2.6.1 use 1.4.200 version of h2 by default. Since the new version seems to be a major release, the question arises - is h2:2.0.202 compatible with Spring Boot 2.4.13, 2.5.7 and 2.6.1?

[nathan-wanono]

Hi,

I just tested on my current project to force the H2 version t 2.0.202 using the following property : <h2.version>2.0.202</h2.version>

Actually, Spring Batch does not work with this version of H2 database : the database is never initialized.
I tryed to force it using the spring.batch.jdbc.initialize-schema=always property (also tryed with embedded).
I also tryed to do a manual initilization using the classpath scripts but they are not compatible aswell.

Spring version: 2.6.1

[andifalk]

This also has issues with using Flyway DB in spring boot with detecting H2 mode correctly.
Spring Boot would need to upgrade dependency to flywaydb at least to version 8.2.2
See https://flywaydb.org/documentation/learnmore/releaseNotes#8.2.2

[philwebb]

@meier-th We plan to upgrade to the latest H2 release in Spring Boot 2.7. Generally we only upgrade dependencies to their latest patch releases in a Spring Boot patch release. There is some discussion on the H2 issue tracker about the CVE and if the fix can be backported. Have you tried upgrading manually?

@nathan-wanono I don't know if you're facing an issue in Spring Boot or Spring Batch. Could you please open a new issue and if possible provide a sample that shows initialization failing?

@andifalk We'll be upgrading to Flyway 8.2 (or newer) in Spring Boot 2.7. Have you tried overriding the flyway version in your Maven or Gradle file? I'd be interested to know if they are compatible.

[philwebb]

I'll close this one for now. I don't think we can upgrade our managed dependency, but if other folks find compatibility issues that we can solve in Spring Boot 2.5 or 2.6 please comment here.

[subes]

H2 2.x.x has a ...;MODE=LEGACY jdbc option which makes spring batch (which is included in spring boot) work properly: http://www.h2database.com/html/features.html

[hpoettker]

As far as I can tell, there is nothing in Spring Boot itself (expect for some test schemas) that needs to be changed for compatibility with H2 2.0.x . But some dependencies will need to be updated:

• Flyway as @andifalk noted above.
• Spring JDBC: Make H2SequenceMaxValueIncrementer compatible with H2 database 2.0.x spring-framework#27870
• Spring Batch: Adjust h2 schema to work with v2.0.x spring-batch#4043
• r2dbc-h2: Upgrade to support H2 2.0. r2dbc/r2dbc-h2#204

Spring JDBC and Spring Batch can be adjusted to work with both 1.4.x and 2.0.x interchangeably.