Remote Code Execution (RCE) Affecting com.h2database:h2 package, versions [1.1.100, 2.0.206)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMH2DATABASE-2331071
- published 6 Jan 2022
- disclosed 6 Jan 2022
- credit JFrog Security vulnerability Research Team
Introduced: 6 Jan 2022
CVE-2021-42392 Open this link in a new tabHow to fix?
Upgrade com.h2database:h2 to version 2.0.206 or higher.
Overview
com.h2database:h2 is a database engine
Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution
If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).
Note: It should be noted that H2 Console doesn't accept remote connections by default.
Workarounds
H2 Console should never be available to untrusted users.
-webAllowOthersis a dangerous setting that should be avoided.H2 Console Servlet deployed on a web server can be protected with a security constraint:
https://h2database.com/html/tutorial.html#usingH2ConsoleServletIf webAllowOthers is specified, you need to uncomment and editand as necessary. See documentation of your web server for more details.
All these workaround are mitigatory and unlikely to prevent all attack vectors, upgrade to a fixed version for full remediation.