Skip to the content.

DIVD-2022-00051 - H2 Web Console - CVE-2021-42392, CVE-2022-23221

Our reference DIVD-2022-00051
Case lead Martin van Wingerden
Researcher(s)
CVE(s)
Product H2 Web Console
Versions 1.1.100-2.1.210
Recommendation Update and do not expose the console to untrusted users.
Workaround Do not expose the console to untrusted users.
Status Open
Last modified 09 Sep 2022 19:12

Summary

On January 5 H2 published an advisory about CVE-2021-42392 and released a new version.

Exploitation likeability is high, as the exploit code is readily available.

What you can do

Users with this vulnerable versions should update as fast as possible. H2 Console should never be made available to untrusted users.

We recommend ACLs to limit access to the console to trusted users, an practical example would be to only allow access to the console from the local/virtual network your infrastructure is running on.

General advice after following up our recommendation is to disable access to the console by setting the webAllowOthers property to false in the h2.properties file in case you have not already done so.

What we are doing

We are scanning the internet for vulnerable H2 Console servers, and will notify system owners via the listed abuse contacts.

Timeline

Date Description
04 Jan 2022 H2 released version 2.0.206 and reported about CVE-2021-42392
17 Jan 2022 H2 released version 2.1.210 and reported about CVE-2022-23221
09 Sep 2022 DIVD starts scanning for vulnerabilities.
gantt title DIVD-2022-00051 - H2 Web Console - CVE-2021-42392, CVE-2022-23221 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00051 - H2 Web Console - CVE-2021-42392, CVE-2022-23221 (still open) :2022-09-09, 2022-10-04 section Events H2 released version 2.0.206 and reported about CVE-2021-42392 : milestone, 2022-01-04, 0d H2 released version 2.1.210 and reported about CVE-2022-23221 : milestone, 2022-01-17, 0d DIVD starts scanning for vulnerabilities. : milestone, 2022-09-09, 0d

More information