CVE-2021-42392
published 2022-01-10CVE-2021-42392: The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
63.21%
99.1th percentile
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | h2database | < h2database 2.1.210-1 (bookworm) | h2database 2.1.210-1 (bookworm) |
| h2database | h2 | 1.1.000 – 2.0.204 | — |
| h2database | h2 | >= 1.1.100 < 2.0.206 | 2.0.206 |
| oracle | communications_cloud_native_core_console | — | — |
| oracle | communications_cloud_native_core_policy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability lies in org.h2.util.JdbcUtils.getConnection accepting attacker-controlled JNDI driver names and URLs; monitor for JNDI/LDAP or JNDI/RMI URLs passed as database connection parameters to this method. ↗
- →The H2 Console is the primary unauthenticated attack vector; detect and alert on unauthenticated HTTP access to the H2 Console endpoint, especially with JNDI-style JDBC URLs in connection parameters. ↗
- →The exploit relies on unfiltered attacker-controlled URLs passed to javax.naming.Context.lookup; instrument or monitor calls to this function with externally supplied input as an indicator of exploitation. ↗
- →The attack mechanism is JNDI remote class loading (dynamic classloading via LDAP/RMI), similar to Log4Shell; network-level detection should look for outbound LDAP/RMI connections originating from H2 database processes. ↗
- ·In OpenShift Container Platform, the openshift4/ose-metering-presto container ships the vulnerable H2 version but uses default configuration, reducing impact to LOW; the Metering product has been deprecated since OCP 4.6. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
H2 vulnerabilities
vendor_ubuntu·2024-06-13·CVSS 9.8
CVE-2021-42392 [CRITICAL] H2 vulnerabilities
Title: H2 vulnerabilities
Summary: H2 could be made to allow arbitrary code execution.
It was discovered that H2 was vulnerable to deserialization of
untrusted data. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-42392)
It was discovered that H2 incorrectly handled some specially
crafted connection URLs. An attacker could possibly use this
issue to execute arbitrary code. (CVE-2022-23221)
Instructions: In general, a standard system update will make all the necessary changes.
Oracle
Oracle Oracle Communications Risk Matrix: Policy (H2) — CVE-2021-42392
vendor_oracle·2022-04-15·CVSS 9.8
CVE-2021-42392 [CRITICAL] Oracle Oracle Communications Risk Matrix: Policy (H2) — CVE-2021-42392
Oracle Oracle Communications Risk Matrix: Policy (H2) vulnerability
CVE: CVE-2021-42392
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2022 (APR 2022)
Ubuntu
H2 vulnerabilities
vendor_ubuntu·2022-04-05·CVSS 9.8
CVE-2021-42392 [CRITICAL] H2 vulnerabilities
Title: H2 vulnerabilities
Summary: Several security issues were fixed in H2.
It was discovered that H2 was vulnerable to deserialization of
untrusted data. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-42392)
It was discovered that H2 incorrectly handled some specially
crafted connection URLs. An attacker could possibly use this
issue to execute arbitrary code. (CVE-2022-23221)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
h2: Loading of custom classes from remote servers through JNDI
vendor_redhat·2022-01-19·CVSS 9.8
CVE-2022-23221 [CRITICAL] CWE-502 h2: Loading of custom classes from remote servers through JNDI
h2: Loading of custom classes from remote servers through JNDI
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
A flaw was found in the H2 Console. This flaw allows remote attackers to execute arbitrary code via a JDBC URL, concatenating with a substring that allows remote code execution by using a script.
Statement: In OpenShift Container Platform (OCP) the openshift-enterprise-3.11/metrics-hawkular-metrics-container container image ships a vulnerable version of h2 as part of the underlying images, but as it uses standard configuration and Console is not enabled/started by default, therefore the
Red Hat
h2: Remote Code Execution in Console
vendor_redhat·2022-01-04·CVSS 9.8
CVE-2021-42392 [CRITICAL] CWE-502 h2: Remote Code Execution in Console
h2: Remote Code Execution in Console
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server’s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console
Debian
CVE-2022-23221: h2database - H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via ...
vendor_debian·2022·CVSS 9.8
CVE-2022-23221 [CRITICAL] CVE-2022-23221: h2database - H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via ...
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Scope: local
bookworm: resolved (fixed in 2.1.210-1)
bullseye: resolved (fixed in 1.4.197-4+deb11u1)
forky: resolved (fixed in 2.1.210-1)
sid: resolved (fixed in 2.1.210-1)
trixie: resolved (fixed in 2.1.210-1)
Debian
CVE-2021-42392: h2database - The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as param...
vendor_debian·2021·CVSS 9.8
CVE-2021-42392 [CRITICAL] CVE-2021-42392: h2database - The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as param...
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Scope: local
bookworm: resolved (fixed in 2.1.210-1)
bullseye: resolved (fixed in 1.4.197-4+deb11u1)
forky: resolved (fixed in 2.1.210-1)
sid: resolved (fixed in 2.1.210-1)
trixie: resolved (fixed in 2.1.210-1)
OSV
h2database vulnerabilities
osv·2022-04-05·CVSS 9.8
CVE-2021-42392 [CRITICAL] h2database vulnerabilities
h2database vulnerabilities
It was discovered that H2 was vulnerable to deserialization of
untrusted data. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-42392)
It was discovered that H2 incorrectly handled some specially
crafted connection URLs. An attacker could possibly use this
issue to execute arbitrary code. (CVE-2022-23221)
OSV
Arbitrary code execution in H2 Console
osv·2022-01-21·CVSS 9.8
CVE-2022-23221 [CRITICAL] Arbitrary code execution in H2 Console
Arbitrary code execution in H2 Console
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
GHSA
Arbitrary code execution in H2 Console
ghsa·2022-01-21·CVSS 9.8
CVE-2022-23221 [CRITICAL] CWE-88 Arbitrary code execution in H2 Console
Arbitrary code execution in H2 Console
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
OSV
CVE-2022-23221: H2 Console before 2
osv·2022-01-19·CVSS 9.8
CVE-2022-23221 [CRITICAL] CVE-2022-23221: H2 Console before 2
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
OSV
CVE-2021-42392: The org
osv·2022-01-10·CVSS 9.8
CVE-2021-42392 [CRITICAL] CVE-2021-42392: The org
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
OSV
RCE in H2 Console
osv·2022-01-06
CVE-2021-42392 [CRITICAL] RCE in H2 Console
RCE in H2 Console
### Impact
H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI.
H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet).
It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users.
### Patches
Since version 2.0.206 H2 Console a
GHSA
RCE in H2 Console
ghsa·2022-01-06
CVE-2021-42392 [CRITICAL] CWE-502 RCE in H2 Console
RCE in H2 Console
### Impact
H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI.
H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet).
It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users.
### Patches
Since version 2.0.206 H2 Console a
No detection rules found.
No public exploits indexed.
arXiv
SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java
arxiv_fulltext·2024-06-28
SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java
: Countering Dynamic Code Injection based on Software Bill of Materials in Java
Aman Sharma,
Martin Wittlinger,
Benoit Baudry,
Martin Monperrus
A. Sharma and M. Monperrus are with the KTH Royal Institute of Technology, Stockholm, Sweden
Email: \amansha, monperrus\@kth.se
M. Wittlinger is with the HDI Group, Cologne, Germany
Email: [email protected]
B. Baudry is with the Universtit\'e de Montr\'eal, Montr\'eal, Canada
Email: [email protected]
## Abstract
Software supply chain attacks have become a significant threat as software development increasingly relies on contributions from multiple, often unverified sources.
The code from unverified sources does not pose a threat until it is executed.
Log4Shell is a recent example of a supply chain attack that processed a ma
Talos
Threat Source Newsletter (Jan. 20, 2022)
blogs_talos·2022-01-20
Threat Source Newsletter (Jan. 20, 2022)
Good afternoon, Talos readers.
Even though we're nearly a month into 2022, we're still not quite ready to move on from 2021. That's why next week, we'll be going live on social media to talk about some of the top cybersecurity stories from the past year.
Liz Waddell from Talos Incident Response and Matt Olney from our threat intelligence team will be joining Hazel Burton from Cisco Secure to talk about everything from Log4j to supply chain attacks. You can find this stream live on any of Cisco Secure's social media platforms or the Talos YouTube page.
## Cybersecurity week in review
- In the latest round of cyber incidents in Ukraine, attackers hijacked many government-run websites and some agencies even lost important data. Microsoft was the first security research team to discover th
Checkpoint
10th January– Threat Intelligence Report
blogs_checkpoint·2022-01-10·CVSS 10.0
CVE-2021-44228 [CRITICAL] 10th January– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th January– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th January, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
A series of attacks targeting Russia’s Ministry of Foreign Affairs has been attributed to North Korean APT group Konni. Threat actors gained access by leveraging a socially engineered phishing campaign with New Year greetings and stealing credentials, aiming at collecting intelligence.
Check Point Anti-Bot provides protec
Sentinelone
Log4j One Month On | Crimeware and Exploitation Roundup
blogs_sentinelone·2022-01-10·CVSS 7.5
CVE-2021-44228 [HIGH] Log4j One Month On | Crimeware and Exploitation Roundup
It has been 31 days since the initial public disclosure of a critical remote code execution (RCE) vulnerability in the Apache Log4j logging library that upended enterprise security at the close of 2021. In that time, since the initial CVE-2021-44228 (critical), we’ve already seen five more related CVEs
CVE-2021-45046 (critical)
CVE-2021-4104 (high)
CVE-2021-42550 (moderate)
CVE-2021-45105 (moderate)
CVE-2021-44832 (moderate))
and several updates to the library from 2.15.01 on December 9th to 2.17.1 on December 28th.
The importance of this class of vulnerabilities in such a ubiquitous library must not be forgotten with the next spin of the cyber news cycle: with millions of vulnerable devices, attacks are likely to continue for as long as such devices running unpatched software can b
Sentinelone
Log4j One Month On | Crimeware and Exploitation Roundup
blogs_sentinelone·2022-01-10·CVSS 7.5
CVE-2021-44228 [HIGH] Log4j One Month On | Crimeware and Exploitation Roundup
It has been 31 days since the initial public disclosure of a critical remote code execution (RCE) vulnerability in the Apache Log4j logging library that upended enterprise security at the close of 2021. In that time, since the initial CVE-2021-44228 (critical), we’ve already seen five more related CVEs
- CVE-2021-45046 (critical)
- CVE-2021-4104 (high)
- CVE-2021-42550 (moderate)
- CVE-2021-45105 (moderate)
- CVE-2021-44832 (moderate))
and several updates to the library from 2.15.01 on December 9th to 2.17.1 on December 28th.
The importance of this class of vulnerabilities in such a ubiquitous library must not be forgotten with the next spin of the cyber news cycle: with millions of vulnerable devices, attacks are likely to continue for as long as such devices running unpatched software
Bugzilla
CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI
bugzilla·2022-01-24·CVSS 9.8
CVE-2022-23221 [CRITICAL] CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI
CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
https://github.com/h2database/h2database/security/advisories
https://github.com/h2database/h2database/releases/tag/version-2.1.210
https://twitter.com/d0nkey_man/status/1483824727936450564
Discussion:
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Pl
Bugzilla
CVE-2021-42392 h2: Remote Code Execution in Console
bugzilla·2022-01-11·CVSS 9.8
CVE-2021-42392 [CRITICAL] CVE-2021-42392 h2: Remote Code Execution in Console
CVE-2021-42392 h2: Remote Code Execution in Console
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Reference:
https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
Discussion:
This issue has been addressed in the following products:
RHINT Camel-Q 2.2.1
Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
---
This bug is now closed. Further updates for individual products will be reflected on the
https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/https://lists.debian.org/debian-lts-announce/2022/02/msg00017.htmlhttps://security.netapp.com/advisory/ntap-20220119-0001/https://www.debian.org/security/2022/dsa-5076https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/https://lists.debian.org/debian-lts-announce/2022/02/msg00017.htmlhttps://security.netapp.com/advisory/ntap-20220119-0001/https://www.debian.org/security/2022/dsa-5076https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/
2022-01-10
Published