CVE-2021-23463 Overview
The package com.h2database:h2 from version 1.4.198 and before 2.0.202 is vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object. This vulnerability is triggered when the class receives parsed string data from the org.h2.jdbc.JdbcResultSet.getSQLXML() method and subsequently executes the getSource() method with DOMSource.class as the parameter.
Critical Impact
Successful exploitation allows attackers to read sensitive files from the server, perform server-side request forgery (SSRF), or cause denial of service conditions through network-accessible XML parsing operations.
Affected Products
- H2 Database versions from 1.4.198 to before 2.0.202
- Applications using com.h2database:h2 Maven dependency within the vulnerable version range
- Java applications utilizing H2's JDBC SQLXML functionality
Discovery Timeline
- 2021-12-10 - CVE CVE-2021-23463 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-23463
Vulnerability Analysis
This XXE injection vulnerability exists in the H2 Database's XML handling implementation. The root cause lies in the JdbcSQLXML class, which fails to properly configure the XML parser to disable external entity resolution when processing XML data retrieved via JDBC operations.
When an application retrieves SQLXML data using JdbcResultSet.getSQLXML() and then calls getSource(DOMSource.class), the underlying XML parser processes external entity declarations without restrictions. This allows an attacker who can control the XML content stored in the database to inject malicious entity declarations that reference external resources.
The vulnerability enables attackers to read arbitrary files from the server's filesystem, make outbound network connections to attacker-controlled servers (SSRF), or cause denial of service through recursive entity expansion (billion laughs attack) or by referencing slow or unavailable network resources.
Root Cause
The vulnerability stems from improper configuration of the XML parser within the JdbcSQLXML class. Specifically, the parser does not disable the following dangerous features:
- XMLConstants.FEATURE_SECURE_PROCESSING is not enabled
- External general entities and external parameter entities are not disabled
- DOCTYPE declarations are not restricted
When getSource(DOMSource.class) is invoked, the XML content is parsed using a DocumentBuilder that allows resolution of external entities, enabling XXE attacks.
Attack Vector
The attack requires network access to the vulnerable application. An attacker must be able to insert or control XML content that is later processed by the vulnerable JdbcSQLXML.getSource() method. This could occur through:
- Direct database access where the attacker can insert malicious XML into an SQLXML column
- Application functionality that accepts XML input and stores it in the H2 database
- Data synchronization or import features that process untrusted XML
When the application later retrieves this data using getSQLXML() and processes it with getSource(DOMSource.class), the malicious external entities are resolved, leading to information disclosure or SSRF. For detailed technical analysis, refer to the Snyk Vulnerability Report and GitHub Issue #3195.
Detection Methods for CVE-2021-23463
Indicators of Compromise
- Unexpected outbound network connections from the H2 database process or Java application server to external hosts
- Unusual file access patterns indicating attempts to read sensitive files such as /etc/passwd, application configuration files, or credential stores
- XML parsing errors in application logs related to external entity resolution failures
- Presence of XML content in database columns containing DOCTYPE declarations with SYSTEM or PUBLIC entity references
Detection Strategies
- Implement dependency scanning using software composition analysis (SCA) tools to identify applications using vulnerable H2 Database versions (1.4.198 to 2.0.202)
- Monitor network traffic for unexpected outbound connections originating from application servers, particularly to uncommon ports or suspicious domains
- Review application logs for XML parsing exceptions or warnings related to external entity processing
- Audit database content for SQLXML columns containing suspicious DOCTYPE declarations or entity references
Monitoring Recommendations
- Deploy network intrusion detection rules to identify XXE-related SSRF traffic patterns from application hosts
- Configure application-level logging to capture XML processing activities, particularly those involving JdbcSQLXML class operations
- Implement file integrity monitoring on sensitive system files to detect unauthorized read attempts
- Use SentinelOne's application vulnerability detection to identify running applications with vulnerable H2 Database dependencies
How to Mitigate CVE-2021-23463
Immediate Actions Required
- Upgrade H2 Database to version 2.0.202 or later, which includes the security fix for this vulnerability
- Audit all applications using H2 Database to inventory affected deployments and prioritize remediation
- If immediate upgrade is not possible, implement input validation to sanitize XML content before storage in SQLXML columns
- Review application code to identify usage of JdbcSQLXML.getSource(DOMSource.class) and assess exposure
Patch Information
The H2 Database maintainers addressed this vulnerability in version 2.0.202. The fix implements secure XML parser configuration that disables external entity processing. For Maven-based projects, update your dependency to:
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>2.0.202</version>
</dependency>
The fix details are available in GitHub Pull Request #3199. Additional vendor advisories are available from Oracle's Critical Patch Update and the NetApp Security Advisory.
Workarounds
- Avoid using JdbcSQLXML.getSource(DOMSource.class) in application code until the upgrade can be completed
- Implement a custom XML parser wrapper that explicitly disables external entity processing before parsing SQLXML data
- Apply input validation to reject XML content containing DOCTYPE declarations or entity references before storage
- Use network segmentation to restrict outbound connections from application servers, limiting SSRF impact
# Example Maven dependency update command
mvn versions:use-latest-releases -Dincludes=com.h2database:h2
# Verify H2 version after update
mvn dependency:tree | grep h2database
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
