gsd-2021-42392
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Aliases
Aliases
{
"GSD": {
"CVSS_V3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C",
"affected": [
{
"package": {
"ecosystem": "PUBLICSOFTWARE",
"name": "h2database"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "\u003c2.0.206"
}
],
"type": "SEMVER"
}
]
}
],
"alias": "CVE-2021-42392",
"description": "To quote portions of the original JFrog advisory (https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/): \n\n # A short preamble \n\n Very recently, the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE \u2013 CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading). \n\n H2 is a very popular open-source Java SQL database offering a lightweight in-memory solution that doesn\u2019t require data to be stored on disk. This makes it a popular data storage solution for various projects from web platforms like Spring Boot to IoT platforms like ThingWorks. The com.h2database:h2 package is part of the top 50 most popular Maven packages, with almost 7000 artifact dependencies. \n\n Due to the current sensitivities around anything (Java) JNDI-related, we want to clarify a few of the conditions and configurations that must be present in order to be at risk before getting into the technical details of our H2 vulnerability findings. \n\n Although this is a critical issue with a similar root cause, CVE-2021-42392 should not be as widespread as Log4Shell (CVE-2021-44228) due to the following factors: \n\n 1. Unlike Log4Shell, this vulnerability has a \"direct \" scope of impact. This means that typically the server that processes the initial request (the H2 console) will be the server that gets impacted with RCE. This is less severe compared to Log4Shell since the vulnerable servers should be easier to find. \n 2. On vanilla distributions of the H2 database, by default the H2 console only listens to localhost connections \u2013 making the default setting safe. This is unlike Log4Shell which was exploitable in the default configuration of Log4j. However \u2013 it\u2019s worth noting the H2 console can easily be changed to listen to remote connections as well. \n 3. Many vendors may be running the H2 database, but not running the H2 console. Although there are other vectors to exploit this issue other than the console, these other vectors are context-dependent and less likely to be exposed to remote attackers. \n That being said, if you are running an H2 console which is exposed to your LAN (or worse, WAN) this issue is extremely critical (unauthenticated remote code execution) and you should update your H2 database to version 2.0.206 immediately. \n\n # Why are we scanning for JNDI flaws? \n\n # Vulnerability root cause \u2013 JNDI remote class loading \n\n # CVE-2021-42392 attack vectors \n\n ## H2 console \u2013 non-context-dependent, unauthenticated RCE \n\n ## H2 Shell tool \u2013 context-dependent RCE \n\n ## SQL-based vectors \u2013 authenticated (high privileges) RCE \n\n # How can I check if I\u2019m vulnerable to CVE-2021-42392? \n\n # How did JFrog detect CVE-2021-42392? \n\n # What is the suggested fix for CVE-2021-42392? \n\n We recommend all users of the H2 database to upgrade to version 2.0.206, even if you are not directly using the H2 console. This is due to the fact that other attack vectors exist, and their exploitability may be difficult to ascertain. \n\n Version 2.0.206 fixes CVE-2021-42392 by limiting JNDI URLs to use the (local) java protocol only, which denies any remote LDAP/RMI queries. This is similar to the fix applied in Log4j 2.17.0. \n\n # How can CVE-2021-42392 be mitigated? \n\n The best fix for the vulnerability is to upgrade the H2 database. \n\n For vendors that are currently unable to upgrade H2, we offer the following mitigation options: \n\n Similarly to the Log4Shell vulnerability, newer versions of Java contain the trustURLCodebase mitigation that will not allow remote codebases to be loaded naively via JNDI. Vendors may wish to upgrade their Java (JRE/JDK) version to enable this mitigation. \n\n This mitigation is enabled by default on the following versions of Java (or any later version) \u2013 \n\n * 6u211 \n * 7u201 \n * 8u191 \n * 11.0.1 \n\n However, this mitigation is not bulletproof, as it can be bypassed by sending a serialized \"gadget \" Java object through LDAP, as long as the respective \"gadget \" class is included in the classpath (depends on the server that runs the H2 database). For more information, please see \"Using serialized Java Objects with local gadget classes \" from our Log4Shell blog post. \n\n When the H2 console Servlet is deployed on a web server (not using the standalone H2 web server), a security constraint can be added that will allow only specific users access to the console page. A suitable configuration example can be found here. \n\n # Acknowledgements \n\n # Conclusion \n\n",
"id": "GSD-2021-42392",
"modified": "2022-09-07T12:59:24Z",
"references": [
{
"name": "The JNDI Strikes Back \u2013 Unauthenticated RCE in H2 Database Console",
"type": "ARTICLE",
"url": "https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/"
},
{
"name": "Version 2.0.206",
"type": "FIX",
"url": "https://github.com/h2database/h2database/releases/tag/version-2.0.206"
},
{
"name": "RCE in H2 Console6",
"type": "ADVISORY",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
},
{
"type": "ADVISORY",
"url": "https://www.debian.org/security/2022/dsa-5076"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:1013"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/CVE-2021-42392"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:4918"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:4919"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:4922"
},
"https://access.redhat.com/errata/RHSA-2022:6782",
"https://access.redhat.com/errata/RHSA-2022:6783",
"https://access.redhat.com/errata/RHSA-2022:6787",
"https://access.redhat.com/errata/RHSA-2022:7409",
"https://access.redhat.com/errata/RHSA-2022:7410",
"https://access.redhat.com/errata/RHSA-2022:7411",
"https://access.redhat.com/errata/RHSA-2022:7417"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-42392"
],
"details": "The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.",
"id": "GSD-2021-42392",
"modified": "2023-12-13T01:23:06.211825Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@jfrog.com",
"ID": "CVE-2021-42392",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "h2",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.1.000"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.0.204"
}
]
}
}
]
},
"vendor_name": "h2database"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution."
}
]
},
"impact": {
"cvssv3": {
"SCORE": "9.8"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"refsource": "MISC",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
},
{
"name": "[debian-lts-announce] 20220215 [SECURITY] [DLA 2923-1] h2database security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"
},
{
"name": "DSA-5076",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5076"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/",
"refsource": "MISC",
"url": "https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220119-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220119-0001/"
},
{
"name": "https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/",
"refsource": "MISC",
"url": "https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.0.204",
"versionStartIncluding": "1.1.000",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@jfrog.com",
"ID": "CVE-2021-42392"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"refsource": "MISC",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
},
{
"name": "https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/",
"refsource": "MISC",
"tags": [
"Exploit",
"Technical Description",
"Vendor Advisory"
],
"url": "https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220119-0001/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220119-0001/"
},
{
"name": "[debian-lts-announce] 20220215 [SECURITY] [DLA 2923-1] h2database security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"
},
{
"name": "DSA-5076",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5076"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/",
"refsource": "MISC",
"tags": [],
"url": "https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-02-24T22:15Z",
"publishedDate": "2022-01-10T14:10Z"
}
}
}
Loading...