DIVD-2022-00051 - H2 Web Console - CVE-2021-42392, CVE-2022-23221

Summary

On January 5 H2 published an advisory about CVE-2021-42392 and released a new version. Versions between 1.1.100 and 2.1.210 allow unauthenticated attackers to execute any code on your server by loading custom classes from remote servers. It is easily exploitable and both have a CVSSv3 score of 9.8.

The vulnerability is currently reported as exploited in the wild, both proof of concepts are available on the internet, CVE-2022-23221 being the most shared one.

Patches and workarounds are available to remediate the vulnerability. Users with this vulnerable versions should update as fast as possible.

Exploitation likeability is high. We recommend to update and to not expose the console to untrusted users.

What you can do

Users with this vulnerable versions should update as fast as possible. H2 Console should never be made available to untrusted users.

We recommend ACLs to limit access to the console to trusted users, an practical example would be to only allow access to the console from the local/virtual network your infrastructure is running on.

General advice after following up our recommendation is to disable access to the console by setting the webAllowOthers property to false in the h2.properties file in case you have not already done so.

What we are doing

We are scanning the internet for vulnerable H2 Console servers, and will notify system owners via the listed abuse contacts.

Timeline

More information

• CVE-2021-42392
• The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console
• CVE-2022-23221
• H2 Database Console Remote Code Execution