The Jfrog security research team has discovered a vulnerability in the H2 database console. CVE-2021-42392 shares a root cause with the now infamous Log4Shell vulnerability.
H2 is a popular and open-source SQL database written in java, which offers a lightweight in-memory solution, meaning data is not required to be stored on a disk. This makes it suitable for various platforms, including IoT devices.
Like Log4j, the H2 console passes unfiltered arbitrary URLs to a class responsible for loading code bases remotely, and an attacker can abuse this to obtain remote code execution. It should be noted that authentication is not required to exploit this vulnerability.
The impact:
Like Log4Shell, an attacker can exploit the H2 consoles acceptance of arbitrary URLs to achieve remote access to the underlying server. From here, they can perform a variety of malicious actions from the initial foothold, including but not limited to privilege escalation and the deployment of malware.
The following should be noted, however:
- The server that processes the initial request to the H2 console is the server that gets impacted by the remote code execution.
- By default, H2 only listens for localhost connections. If default configurations are in use, then this vulnerability cannot be exploited remotely.
- It is possible to run the H2 database without the H2 console, which some vendors are doing. Whilst there are other vectors to achieve remote code execution, these are highly contextual and of higher complexity.
The remediation:
Upgrade to H2 database version 2.0.206 immediately. If remote connections are not necessary, configuring the database to listen for localhost connections only, will prevent remote exploitation.
Sources:
- JFrog article
- Log4Shell anatomy – good for understanding how these vulnerabilities present themselves.