Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CVE-2021-42392 - H2 console vulnerable to Remote Code Execution (RCE)
See original GitHub issueSummary
com.h2database:h2 is a database engine
Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution
If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).
Note: It should be noted that H2 Console doesn’t accept remote connections by default.
Version
18.0.0 or higher
Impact
Low. Keycloak is not vulnerable to this issue and does not enable it by default. H2 database is used only for development purposes and testing. We do not recommend its usage in production.
Below you can find more details:
Adding the quote from the CVE for more context: “H2 Console doesn’t accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn’t set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet).” - https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
Remediation
Upgrade com.h2database:h2 to version 2.0.206 or higher.
References
- GItHub Advisory
- GitHub Commit
- The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console
- https://github.com/keycloak/keycloak/issues/12607
Additional information
Keycloak is not vulnerable, but it is affected considering the usage of h2database dependency in the WildFly legacy and Quarkus distributions.
Before updating H2 on Keycloak, first it is necessary to WildFly and Quarkus directly. Until now, Quarkus 2.8.0.Final and WildFly 26 both are still on version 1.4.197 of H2.
The Quarkus team updated the dependency in the main branch, although, we need to wait for the upcoming releases.
Credits
Issue Analytics
- State:
- Created a year ago
- Comments:6 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Adding it to the next milestone, but as @pedroigor mentioned, it should be “solved” with the replacement of H2 with the concurrent map store.
AFAIK, we should be replacing H2 with the concurrent map store. It is unclear when it will happen but I think it will happen soon.
Considering the Quarkus distribution, if we can restrict H2 to dev mode we can keep it there for a while without having to worry about CVEs.