Log4Shell-style security hole found in popular H2 Java SQL database engine – Naked Security

“It’s Log4Shell, Jim,” as Commander Spock never really said, “But not as we know him.”

This is the shortest summary we can find of the bug. CVE-2021-42392, a security hole recently reported by researchers at software supply chain management company Jfrog.

This time the bug is not in Apache’s Log4j toolkit, but can be found in a popular Java SQL server called the H2 Database Engine.

H2 is not like a traditional SQL system such as MySQL or Microsoft SQL Server.

While you can run H2 as a stand-alone server to connect to other applications, its primary purpose is its modest size and stand-alone nature.

As a result, you can bundle SQL H2 database code directly into your own Java applications and run your databases entirely in memory, without the need for separate server processes.

As with Log4j, of course, this means that you can have instances of the H2 Database Engine code running within your organization without realizing it, whether you are using any apps or development components. who themselves include it discreetly.

JNDI in the spotlight again

Like the Log4Shell vulnerability, this one depends on the abuse of the Java naming and directory interface, better known as JNDI, which is an integral part of any standard Java installation.

JNDI is supposed to make it easier to identify and access useful resources on your network, including finding and retrieving software components stored remotely using well-known search and discovery protocols such as Lightweight Directory (LDAP). Access Protocol).

As dangerous as it may sound, it is important to remember that similar functionality can be encoded in any software (compiled or interpreted, script or binary) that has network access, can download arbitrary data, and is capable of transform that data into executable code of some sort. JNDI simply makes it easy to build distributed applications that find and load remote components. This type of programmatic convenience sometimes improves security, as it is often easier to audit and revise code when it follows a well-documented path. But sometimes it reduces safety, as it makes it easier to mistakenly introduce unexpected side effects. We saw it in Log4j, where “Write a text string to keep a record of data submitted by a remote user” could inadvertently turn into “Download and run an untrusted program specified by a remote user”.

Fortunately, unlike Log4Shell, bug CVE-2021-42392 cannot be triggered simply by embedding trapped text in queries that are sent to the H2 Database Engine.

Although Jfrog has documented several ways that cybercriminals could, in theory, trick H2 into executing arbitrary remote code, the most likely path of attack involves:

  • An active H2 web console. It is an embedded web server that typically listens on TCP port 8082 and allows developers to interact with the SQL H2 backend while it is running. If this port is blocked or if the console is inactive, this attack path will not work.
  • An H2 console listening on an external network interface. By default, the console only accepts connections from the computer it is running on (localhost, usually the IP number in an IPv4 network). Unless this default was changed, attackers would need local access anyway before they could gain access to the H2 console.

According to H2, the applications that integrate the H2 engine directly in their code “Are not exposed to the outside”, but as far as we can see, this note only refers to the database engine itself when not running as an sql server, not the web console component.

Unfortunately, Jfrog notes:

We have observed that some third-party H2 database-based tools will run the H2 console exposed to remote clients by default. For example, the JHipster framework also exposes the H2 console and defines by default the webAllowOthers property to true.

(Adjustment webAllowOthers is the Java property used by H2 to decide whether or not to accept connections from external network interfaces.)

The default web console login page includes a form that allows users to specify how they want to connect to the database.

A malicious user could use this form to request a JNDI lookup via LDAP, just like in a Log4Shell attack, to trick H2 into fetching and running remote Java. .class file (a compiled Java program).

Although a dangerous URL used to launch an attack is submitted in the same login form that asks for a username and password, Jfrog discovered that the JNDI lookup takes place before the username and password. password are not verified.

This means that an attacker does not need working credentials to exploit the vulnerability, so the bug opens what is called a remote unauthenticated code execution (RCE) hole, the most dangerous kind.


For a live demonstration of how JNDI can be maliciously combined with JDAP searches to download and run untrusted remote code, watch this video:

If you cannot clearly read the text of the video here, try using full screen mode or look directly on Youtube. Click on the video player cog to speed up playback or activate subtitles.

What to do?

  • If you have applications that use the H2 database engine, upgrade H2 to version 2.0.206.

At time of writing 2.0.206 (published 2022-01-04) is listed like the latest version, although the H2 change log always lists 2.0.206 as “unpublished”, and does not document CVE-2021-42392 as one of the resolved issues.

Jfrog, however, states that 2.0.206 includes a code change similar to the one Apache used in the Log4j 2.17.0 update: H2 no longer allows the use of JNDI with remote references.

This means, in theory, that attackers can no longer pull off the trick of saying “Do a search, but use a network query that takes you to an unreliable external location so we can manipulate the results.”

As far as we can see, the updated H2 Database Engine now only uses JNDI for what are essentially local Java function calls, so remote code execution as Unexpected side effect of using JNDI is no longer possible, neither by accident nor by design.

  • To find instances of the H2 code on your network, you can search for files called h2-*.jar.

The generic text denoted by * must be of the form X.Y.Z, representing the version number of H2 in use – anything less than 2.0.206 should be replaced with the latest version.

Maria H. Underwood