CVE-2022-45868: Password exposure in H2 Database (not an issue)

[lukaseder]

Dependabot and org.owasp:dependency-check-maven have been reporting CVE-2022-45868 (see GHSA-22wj-vf5f-wrvj) to me. I didn't find this CVE referenced from any issue in the issue tracker here, so I'm creating this one.

Since the CVE has already been published (possibly as a zero day??), I suspect it's OK to report this publicly here. For future private reports, I think it would be useful to set up a security policy here on github? https://github.com/h2database/h2database/security/policy

[lukaseder]

Doesn't seem to be a zero day, according to the original report: https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243

[katzyn]

It was privately reported on Aug 4th 2022 via huntr.dev and we explained that it isn't a vulnerability and there is nothing to fix.

[lukaseder]

Well, it seems your explanation was not honoured by the researchers, given that GHSA-22wj-vf5f-wrvj is now reported by all sorts of automation tools...

I'm not sure what to do about this. You can obviously close this issue here, but many others will get similar reports from dependabot and the owasp checker.

[katzyn]

Documentation of H2 describes only a file-based configuration (and password actually can be encrypted in configuration file).

But it is possible to pass password to a server inside an application without that file:

Server server = new Server();
server.runTool("-web", "-webPort", "8182", "-properties", "null", "-webAdminPassword", "123");

Somebody abused this way by passing these arguments in the command like. OK, this way will also work and actually it is possible to pass passwords in the command line to many other applications too, but why it is considered as a vulnerability of such applications, especially when command line isn't suggested anywhere and there are safer documented ways?

I don't know that to do with this fake report. This setting is rarely needed, but why we should remove it? I also don't see a simple reliable way to check source of password to reject only passwords from a command line.

[lukaseder]

Makes sense to me, thanks for your explanation. It isn't the first case of such a security incident escalating way beyond what's reasonable. Similar things happened to other projects recently, including pgjdbc.

[pjfanning]

@katzyn would you be able to see if the CVE could be marked as DISPUTED or REJECTED (as per this FAQ)?

This CVE should never have been created.

[ashirvadgupta]

@katzyn Can we modify the source code and remove the option to pass webAdminPassword as we don't intend to use it and build the jar and use it.

[enaiel]

@katzyn has the dispute been filed with CVE? This is being flagged as a past-due (Nov '22) high vulnerability on all corporate servers by the automatic Sonatype scanners.

[katzyn]

@grandinj
Could you take a look?
https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf
Maybe we can do something with this CVE.

[grandinj]

No sorry, I'm not willing to waste my time on this nonsense

[enaiel]

@grandinj I hope you do realize that if this CVE stays, it would be the end of the use of H2 database by major corporations. We would all need to find alternate solutions and exit H2 within the next 6 months. Please reconsider.

[grandinj]

I struggle to understand why I should feel the slightest shred of sympathy for "major corporations" that are using a volunteer-developed open-source project.
Feel free to get your corporation to pay someone to deal with this, or pay for a similar commercial library.

[legolasbo]

Despite being marked as a non-issue, this has been addressed in #3833 and released in version 2.2.220