#VU61938 Deserialization of Untrusted Data in H2 Database


Published: 2022-04-06

Vulnerability identifier: #VU61938

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23221

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
H2 Database
Server applications / Database software

Vendor: H2 Database Engine

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within jdbc:h2:mem. A remote attacker can pass specially crafted JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

H2 Database: 1.0 - 2.0.206

External links
http://github.com/h2database/h2database/security/advisories
http://github.com/h2database/h2database/releases/tag/version-2.1.210
http://twitter.com/d0nkey_man/status/1483824727936450564
http://seclists.org/fulldisclosure/2022/Jan/39

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Oracle SOA Suite
Multiple vulnerabilities in Oracle Healthcare Translational Research
Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform
Multiple vulnerabilities in Oracle Communications Cloud Native Core Console
Ubuntu update for h2database
Remote code execution in H2 database
Debian update for h2database