fix(security): Patch Critical RCE in H2 Database — CVE-2021-42392 [COG-422]

[devin-ai-integration]

Summary

Upgrades com.h2database:h2 from 1.4.200 to 2.1.210 to remediate CVE-2021-42392 (CVSS 9.8) — a Remote Code Execution vulnerability via JDBC URL manipulation (CWE-94: Code Injection).

Vulnerability: An unauthenticated attacker could execute arbitrary Java code on the server by crafting malicious JDBC URLs. If the H2 console were exposed, this would be directly exploitable from the network.

Root cause: The application inherited H2 1.4.200 from Spring Boot 2.2.6.RELEASE parent POM, which contains the vulnerable code path.

Fix applied:

• Pinned com.h2database:h2 to version 2.1.210 in monolith/pom.xml, overriding the Spring Boot managed version
• Explicitly disabled H2 console (spring.h2.console.enabled=false) as defense-in-depth
• Configured H2 2.x compatibility settings (MODE=LEGACY, DB_CLOSE_ON_EXIT=FALSE, hibernate.id.new_generator_mappings=false) to ensure seamless upgrade

Tests added:

• h2Version_isAtLeast_2_1_210_CVE2021_42392 — asserts runtime H2 version >= 2.1.210
• h2Console_isDisabled_CVE2021_42392 — asserts H2 console is disabled in config

All 9 tests pass (7 existing integration tests + 2 new security regression tests).

Review & Testing Checklist for Human

• Verify com.h2database:h2:2.1.210 appears in the resolved dependency tree (./mvnw dependency:tree | grep h2)
• Run the full test suite locally (cd monolith && ./mvnw clean test) and confirm 9/9 pass
• Verify the H2 console is not accessible at /h2-console when running the app (./mvnw spring-boot:run then visit http://localhost:8080/h2-console)
• Confirm seed data loads correctly on startup (GET /bonds returns US912828YK15, GET /counterparties returns Acme Asset Management)
• Execute an RFQ via POST /rfqs and confirm the saga still works end-to-end

Notes

• The MODE=LEGACY setting preserves H2 1.x SQL behavior (case-insensitive identifiers, etc.) so no application code changes were needed
• The DB_CLOSE_ON_EXIT=FALSE setting eliminates benign shutdown warnings from H2 2.x
• Snyk ref: SNYK-JAVA-COMH2DATABASE-2348247
• Linear: COG-422

Link to Devin session: https://app.devin.ai/sessions/bc498da494ea494680373fa9416dcc25
Requested by: @patrickbradley-cog

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.