H2 vulnerabilities
Issue date: 21-09-2022Affects versions: 15.1, 14.7, 13.4
Security Issue ID
SECURITY-345 & SECURITY-358
Affected Product Version(s)
15.1.0, 14.7.8, 13.4.18, and all previous versions
Severity
Critical
Description
The the following vulnerabilities were addressed. Take into account that even if the severity is set to critical, the H2 database is not approved to be used in production, and therefore in reality the severity is much lower.
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file.
Instructions
Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 15.1.1, 14.7.9, 13.4.19
The solution consists in preventing the h2 driver to be included in the distribution file that is deployed on productive environments. This is achieved by stopping to include it as a transitive dependency of our repository. For that reason, if there is some custom code (e.g. integration tests) that was taking advantage of that transitive dependency to make use of h2, from now on, it will be required that the project specifies that dependency as a test dependency.