Remote Code Execution (RCE) Affecting com.h2database:h2 package, versions [1.1.100, 2.0.206)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
57.4% (98th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Remote Code Execution (RCE) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-COMH2DATABASE-2331071
  • published6 Jan 2022
  • disclosed6 Jan 2022
  • creditJFrog Security vulnerability Research Team

Introduced: 6 Jan 2022

CVE-2021-42392  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade com.h2database:h2 to version 2.0.206 or higher.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution

If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).

Note: It should be noted that H2 Console doesn't accept remote connections by default.

Workarounds

  • H2 Console should never be available to untrusted users.

  • -webAllowOthers is a dangerous setting that should be avoided.

  • H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If webAllowOthers is specified, you need to uncomment and edit and as necessary. See documentation of your web server for more details.

All these workaround are mitigatory and unlikely to prevent all attack vectors, upgrade to a fixed version for full remediation.

CVSS Scores

version 3.1