Skip to the content.

DIVD-2022-00051 - H2 Web Console - CVE-2021-42392, CVE-2022-23221

Our reference DIVD-2022-00051
Case lead Martin van Wingerden
Researcher(s)
CVE(s)
Product H2 Web Console
Versions 1.1.100-2.1.210
Recommendation Update and do not expose the console to untrusted users.
Workaround Do not expose the console to untrusted users.
Status Open
Last modified 08 Dec 2022 16:28

Summary

On January 5 H2 published an advisory about CVE-2021-42392 and released a new version. Versions between 1.1.100 and 2.1.210 allow unauthenticated attackers to execute any code on your server by loading custom classes from remote servers. It is easily exploitable and both have a CVSSv3 score of 9.8.

The vulnerability is currently reported as exploited in the wild, both proof of concepts are available on the internet, CVE-2022-23221 being the most shared one.

Patches and workarounds are available to remediate the vulnerability. Users with this vulnerable versions should update as fast as possible.

Exploitation likeability is high. We recommend to update and to not expose the console to untrusted users.

What you can do

Users with this vulnerable versions should update as fast as possible. H2 Console should never be made available to untrusted users.

We recommend ACLs to limit access to the console to trusted users, an practical example would be to only allow access to the console from the local/virtual network your infrastructure is running on.

General advice after following up our recommendation is to disable access to the console by setting the webAllowOthers property to false in the h2.properties file in case you have not already done so.

What we are doing

We are scanning the internet for vulnerable H2 Console servers, and will notify system owners via the listed abuse contacts.

Timeline

Date Description
04 Jan 2022 H2 released version 2.0.206 and reported about CVE-2021-42392
17 Jan 2022 H2 released version 2.1.210 and reported about CVE-2022-23221
09 Sep 2022 DIVD starts investigating the scope and impact of the vulnerability.
07 Oct 2022 DIVD starts scanning for vulnerabilities.
07 Oct 2022 First round of notifications sent
gantt title DIVD-2022-00051 - H2 Web Console - CVE-2021-42392, CVE-2022-23221 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00051 - H2 Web Console - CVE-2021-42392, CVE-2022-23221 (still open) :2022-09-09, 2022-12-15 section Events H2 released version 2.0.206 and reported about CVE-2021-42392 : milestone, 2022-01-04, 0d H2 released version 2.1.210 and reported about CVE-2022-23221 : milestone, 2022-01-17, 0d DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-09-09, 0d DIVD starts scanning for vulnerabilities. : milestone, 2022-10-07, 0d First round of notifications sent : milestone, 2022-10-07, 0d

More information