Remote Code Execution (RCE) Affecting com.h2database:h2 Open this link in a new tab package, versions [1.1.100, 2.0.206)


0.0
high
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    High

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-COMH2DATABASE-2331071

  • published

    6 Jan 2022

  • disclosed

    6 Jan 2022

  • credit

    JFrog Security vulnerability Research Team

How to fix?

Upgrade com.h2database:h2 to version 2.0.206 or higher.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution

If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).

Note: It should be noted that H2 Console doesn't accept remote connections by default.

Workarounds

  • H2 Console should never be available to untrusted users.

  • -webAllowOthers is a dangerous setting that should be avoided.

  • H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If webAllowOthers is specified, you need to uncomment and edit and as necessary. See documentation of your web server for more details.

All these workaround are mitigatory and unlikely to prevent all attack vectors, upgrade to a fixed version for full remediation.