CVE-2022-23221 The H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring. This is different than CVE-2021-42392.
This issue was reported by Yuhuan Shih from IBM. CVE-2018-1010: The JDBC code in Apache HSQL before 1.10.7, 1.11.x before 1.11.6, and 1.12.x before 1.12.1 does not properly enforce type checking of parameters, which might allow remote attackers to conduct SQL injection attacks via a crafted JDBC URL. (CVE-2018-1010) NEW - Fixed in Apache HSQL 1.13.x and 2.x. For Debian and Ubuntu, the package is libhsqldb1.13 or libhsqldb2.10. Fixed in Apache HSQL 2.x. For Debian and Ubuntu, the package is libhsqldb2 or libhsqldb2.9. For CentOS and Red Hat, the package is libhsqldb or libhsqldb2.7. For Amazon Linux, the package is libhsqldb1.13 or libhsqldb2.10. For openSUSE, the package is libhsqldb1.13 or libhsqldb2.10. For Fedora, the package is libhsqldb or libhsqldb2.9. As these are only tested against Apache HSQL 1.13.x or 2.x, you may need to update your packaged version of Apache HSQL to a newer version
References:
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1010
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221
3. https://www.hsqldb.com/?q=hsqldb_2_9
Timeline
Published on: 01/19/2022 17:15:00 UTC
Last modified on: 07/25/2022 18:21:00 UTC
References
- https://github.com/h2database/h2database/security/advisories
- https://github.com/h2database/h2database/releases/tag/version-2.1.210
- https://twitter.com/d0nkey_man/status/1483824727936450564
- http://seclists.org/fulldisclosure/2022/Jan/39
- http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html
- https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html
- https://www.debian.org/security/2022/dsa-5076
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23221