How To Fix CVE-2021-42392- A Critical Unauthenticated RCE In H2 Database Console?

JFrog researchers Andrey Polkovnychenko and Shachar Menashe disclosed a Log4j like vulnerability in the H2 database console that could lead attackers to perform unauthenticated remote code execution vulnerability. The flaw, tracked as CVE-2021-42392, has the same root cause as the Log4j vulnerability in the Apache Log4j logging utility. Let’s see how to fix CVE-2021-42392- a critical unauthenticated RCE in the H2 database console.

What Is H2 Database?

H2 database is a free, open-source, lightweight relational database developed in Java. It can be used in embedded, client-server, and in-memory database modes. In embedded mode, the database is embedded within the Java application, wherein case of client-server, the database can be used as a stand-alone DB server like MySQL and can be accessed through integrated web and command-line consoles. When it is used as an in-memory database, data will not persist on the disk.

What Is JNDI?

Java Naming and Directory Interface. Is a Java API that allows applications to communicate with other applications such as LDAP, DNS, NIS, NDS, RMI, and CORBA. Its main function is to provide naming and directory functionality to applications developed in the Java language. It runs on top of a Java application to fetch files from a database using naming conventions. It is defined to be independent of any specific directory service implementation.

JNDI architecture has two main components: JNDI API and JNDI SPI. API is used to access different naming and directory services. It allows the Java application to communicate with applications such as LDAP, DNS, NIS, NDS, RMI, and CORBA. JNDI has a JNDI SPI (Service Provider Interface) for each naming and directory service to communicate with different services.

JNDI Architecture

About The CVE-2021-42392 Vulnerability (A RCE Vulnerability In H2 Database Console):

As per the report, “The root cause is similar to Log4Shell – several code paths in the H2 database framework pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (AKA Java code injection AKA remote code execution).

Specifically, the org.h2.util.JdbcUtils.getConnection method takes a driver class name and database URL as parameters. If the driver’s class is assignable to the javax.naming.Context class, the method instantiates an object from it and calls its lookup method:

Supplying a driver class such as javax.naming.InitialContext and a URL such as ldap://attacker.com/Exploit will lead to remote code execution.”

jfrog.com

The CVE-2021-42392 vulnerability is not widespread as Log4Shell because the H2 console only listens to localhost connections, unlike Log4Shell, which listen to remote connection by default. However, bear in mind that it is possible to make H2 listen to remote connection as well, which makes it critical.

Another important thing for your note is that some vendors say their application is running only the H2 database, not the H2 console, so their application is safe from the flaw. But, the reality is there are other vectors to exploit the CVE-2021-42392 vulnerability other than the console. You need to ensure that your application is protected from all these attack vectors. 

Ultimately, attackers will try exploiting the CVE-2021-42392 vulnerability by passing the “driver” and “url” fields to the corresponding fields of JdbcUtils.getConnection. This leads to unauthenticated RCE in H2 Database Console since the username and password are not validated before performing the lookup with the potentially malicious URL.

H2 Database Versions Vulnerable To The CVE-2021-42392 Vulnerability:

H2 database versions from v1.1.100 to v2.0.204 are vulnerable to the CVE-2021-42392 vulnerability. Make sure you shouldn’t have these versions running on your servers. 

How To Check If The System Is Vulnerable To The CVE-2021-42392 Vulnerability?

You can use the Nmap tool to scan for vulnerable systems on your network. Run this below command to scan the vulnerable systems. Note: You should need to have Nmap installed on a system connected to the network.