cbcvebase.
CVE-2021-42392
published 2022-01-10

CVE-2021-42392: The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may…

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
63.21%
99.1th percentile
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianh2database< h2database 2.1.210-1 (bookworm)h2database 2.1.210-1 (bookworm)
h2databaseh21.1.000 – 2.0.204
h2databaseh2>= 1.1.100 < 2.0.2062.0.206
oraclecommunications_cloud_native_core_console
oraclecommunications_cloud_native_core_policy

Detection & IOCsextracted from sources · hover to see the quote

otherSnort SID 58876
otherSnort SID 58877
  • The vulnerability lies in org.h2.util.JdbcUtils.getConnection accepting attacker-controlled JNDI driver names and URLs; monitor for JNDI/LDAP or JNDI/RMI URLs passed as database connection parameters to this method.
  • The H2 Console is the primary unauthenticated attack vector; detect and alert on unauthenticated HTTP access to the H2 Console endpoint, especially with JNDI-style JDBC URLs in connection parameters.
  • The exploit relies on unfiltered attacker-controlled URLs passed to javax.naming.Context.lookup; instrument or monitor calls to this function with externally supplied input as an indicator of exploitation.
  • The attack mechanism is JNDI remote class loading (dynamic classloading via LDAP/RMI), similar to Log4Shell; network-level detection should look for outbound LDAP/RMI connections originating from H2 database processes.
  • ·In OpenShift Container Platform, the openshift4/ose-metering-presto container ships the vulnerable H2 version but uses default configuration, reducing impact to LOW; the Metering product has been deprecated since OCP 4.6.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.