Skip to content

RCE in H2 Console

Critical severity GitHub Reviewed Published Jan 5, 2022 in h2database/h2database • Updated Feb 25, 2023

Package

maven com.h2database:h2 (Maven)

Affected versions

>= 1.1.100, < 2.0.206

Patched versions

2.0.206

Description

Impact

H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI.

H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet).

It is also possible to load them by creation a linked table in these versions, but it requires ADMIN privileges and user with ADMIN privileges has full access to the Java process by design. These privileges should never be granted to untrusted users.

Patches

Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used.

Workarounds

H2 Console should never be available to untrusted users.

-webAllowOthers is a dangerous setting that should be avoided.

H2 Console Servlet deployed on a web server can be protected with a security constraint:
https://h2database.com/html/tutorial.html#usingH2ConsoleServlet
If webAllowOthers is specified, you need to uncomment and edit <security-role> and <security-constraint> as necessary. See documentation of your web server for more details.

References

This issue was found and privately reported to H2 team by JFrog Security's vulnerability research team with detailed information.

References

@katzyn katzyn published to h2database/h2database Jan 5, 2022
Reviewed Jan 6, 2022
Published to the GitHub Advisory Database Jan 6, 2022
Published by the National Vulnerability Database Jan 10, 2022
Last updated Feb 25, 2023

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS score

38.501%
(97th percentile)

Weaknesses

CVE ID

CVE-2021-42392

GHSA ID

GHSA-h376-j262-vhq6

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.