ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

H2 Database Console Remote Code Execution (RCE) Vulnerability (CVE-2021-42392)

book

Article ID: 241308

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

 

Vulnerability "H2 Database Console Remote Code Execution (RCE) Vulnerability (CVE-2021-42392)"   highlighted in h2-1.4.178.jar file,  Jar file is available in ..devtest-10.6/lib/

could you please advise me with the steps to fix this vulnerability.

 

 

Environment

Release : 10.6

Component : DevTest Vulnerability

Resolution

CVE-2021-42392 vulnerability impacts only H2 databases which are actively using the Web Console and enabled remote access. By default, H2 Console is not enabled and doesn’t accept remote connections. However, in order to enable the H2 console, the administrator must explicitly load it. Also, it’s not possible to access the In-Memory Database Console from another process, unless you start a TCP server in the same process as the database was opened. So, the severity and impact are deemed low for SV.

Furthermore, H2 should be used only for experimental/demo/development purposes. If they are using it in production, please ask them to move to other standard databases.