DIVD-2022-00051 - H2 Web Console - CVE-2021-42392, CVE-2022-23221
|Case lead||Martin van Wingerden|
|Product||H2 Web Console|
|Recommendation||Update and do not expose the console to untrusted users.|
|Workaround||Do not expose the console to untrusted users.|
|Last modified||26 May 2023 09:13|
On January 5 H2 published an advisory about CVE-2021-42392 and released a new version. Versions between 1.1.100 and 2.1.210 allow unauthenticated attackers to execute any code on your server by loading custom classes from remote servers. It is easily exploitable and both have a CVSSv3 score of 9.8.
The vulnerability is currently reported as exploited in the wild, both proof of concepts are available on the internet, CVE-2022-23221 being the most shared one.
Patches and workarounds are available to remediate the vulnerability. Users with this vulnerable versions should update as fast as possible.
Exploitation likeability is high. We recommend to update and to not expose the console to untrusted users.
What you can do
Users with this vulnerable versions should update as fast as possible. H2 Console should never be made available to untrusted users.
We recommend ACLs to limit access to the console to trusted users, an practical example would be to only allow access to the console from the local/virtual network your infrastructure is running on.
General advice after following up our recommendation is to disable access to the console by setting the
webAllowOthers property to
false in the
h2.properties file in case you have not already done so.
What we are doing
We are scanning the internet for vulnerable H2 Console servers, and will notify system owners via the listed abuse contacts.
|04 Jan 2022||H2 released version 2.0.206 and reported about CVE-2021-42392|
|17 Jan 2022||H2 released version 2.1.210 and reported about CVE-2022-23221|
|09 Sep 2022||DIVD starts investigating the scope and impact of the vulnerability.|
|07 Oct 2022||DIVD starts scanning for vulnerabilities.|
|07 Oct 2022||First round of notifications sent|
|11 Dec 2022||Second round of notifications sent|
- The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console
- H2 Database Console Remote Code Execution