Description
The latest version of h2 has a serious security warning: CVSSv3 of 8.8!
https://nvd.nist.gov/vuln/detail/CVE-2018-10054
The reason is that the ALIAS functionality can be misused to execute arbitrary java code on the system. If the h2-web-console is not protected by username/password and is accessible not only from localhost this leads to a serious security leak.
As lots of h2 web consoles are running in the above configuration during development, all developers might be attacked by other people on the same network having access to the system of the developer via web browser.
Good documentation of the attack is here: https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
The problem is that the security issue is a feature, not a bug. The real problem is the configuration of the h2 web console!
Still, current owasp dependency check reports h2 library in version 1.4.197 as vulnerable. In reality this applies to all versions of the library.
Suggestion to mitigate the attack:
- set a good password to the database. This is not working in our environment as we use h2 as a development database and the username/password is configured in the application configuration - accessible for all developers. So another developer can still access the h2 console.
- restrict access to the h2 console to localhost
Here is a piece of code (from our jhipster project) that does so:
ServletRegistration.Dynamic h2ConsoleServlet =
servletContext.addServlet("H2Console", new org.h2.server.web.WebServlet());
h2ConsoleServlet.addMapping("/h2-console/*");
h2ConsoleServlet.setInitParameter("-properties", "src/main/resources/");
h2ConsoleServlet.setLoadOnStartup(1);
// prevent access to h2-console from network - this is a security leak as others could execute java code on developer machine:
// see CVE-2018-10054
// exploit & description: https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
FilterRegistration.Dynamic localhostFilter = servletContext.addFilter("localhostFilter", new LocalhostOnlyFilter());
localhostFilter.addMappingForUrlPatterns(disps, true, "/h2-console/*");
localhostFilter.setAsyncSupported(true);import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
public class LocalhostOnlyFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (request.getServerName().equals("localhost")) {
chain.doFilter(request, response);
} else {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Access restricted to localhost");
}
}
@Override
public void destroy() {
}
}h2 web console should be restricted to localhost by default, therefore if someone wants access more open, he must configure that explicitly ("security by default").