H2 Database Console Remote Code Execution [Severity: Critical]

robertjebakumar · January 31, 2022, 12:55pm

Template for a good bug report, formatted with Markdown:

Versions used (SonarQube, Scanner, Plugin, and any relevant extension) - 7.9.6
Error observed (wrap logs/code around triple quote ``` for proper formatting)

Subject:- Our Vulnerability team has suggested to remove H2 Database because of the below reasons. Can you please let us to upgrade the H2 Database or provide any alternatives.

Description

H2 is an open-source Java SQL database offering a lightweight in-memory solution that doesn’t require data to be stored on disk.

CVE-2021-42392: H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution.

Affected versions:

1.1.100 (2008-10-14) to 2.0.204 (2021-12-21)

Impact

H2 Console doesn’t accept remote connections by default. However, if remote access was enabled explicitly and some protection method (such as security constraint) wasn’t set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). A remote attacker executing code on the target system which would compromise the confidentiality, availability and integrity of data and services on the identified hosts.

Mitigation

It is recommended that the H2 database is upgraded to version 2.0.206 to remediate. Version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI meaning only local data sources can be used.

Recommended Action

Confirm if the H2 database is required. If required, upgrade to version 2.0.206 within 60 days. If H2 database is not required, please remove the software from the assets. If remediation cannot be performed for any reason, a risk needs to be raised to cover this vulnerability or if it is believed that the vulnerability does not exist, please submit evidence and explanations to the Vulnerability Management mailbox.

References

CVE-2021-42392 H2 Database Vulnerability in NetApp Products | NetApp Product Security

The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console

If we delete the H2 Database or rename the folder, then SonarQube service doesn’t start.

Colin · January 31, 2022, 1:18pm

Hey there.

SonarQube v7.9.6 is an EOL version of SonarQube, you should upgrade to at least v8.9.6
The H2 database is only used for evaluation purposes (when sonar.jdbc.url is not configured to a Postgres, Oracle, or Microosft SQL Server database). It is not production-ready, nor meant to be.
Incidentally, we already plan to upgrade the H2 database in SonarQube v9.4 (SONAR-15845)
In all versions, SonarQube is not vulnerable as the H2 console is not enabled and the H2 URL is hardcoded
In the future, please follow our guide on Resonsible Vulnerabilty Disclosure