A potential security issue has been identified in the H2 Database Engine versions up to 2.1.214, where the web-based admin console's password can be specified in cleartext via the command-line interface (CLI) using the -webAdminPassword argument. This may allow local users or attackers with local access to discover the password by listing processes and their arguments.

However, the H2 database's vendor has disputed the identification of this issue as a vulnerability, stating that "This is not a vulnerability of H2 Console... Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that."

In this long read post, we will discuss the details of this potential security issue, including the code snippet involved, links to original references, and any possible exploits.

Code Snippet

The problematic code snippet is located in the org.h2.tools.Console Java class, where the -webAdminPassword argument is parsed and used as a password for the web-based admin console.

// org.h2.tools.Console.java
public class Console {
    ...
    public static void main(String... args) throws SQLException {
        ...
        for (int i = ; i < args.length; i++) {
            ...
            } else if ("-webAdminPassword".equals(a)) {
                webAdminPassword = args[++i];
            ...
        }
        ...
        if (webAdminPassword != null) {
            org.h2.engine.SysProperties.H2_WEB_ADMIN_PASSWORD = webAdminPassword;
        }
    }
    ...
}

When a user starts the H2 web-based console with the -webAdminPassword argument and specifies a password, the password is stored in cleartext in the org.h2.engine.SysProperties class.

1. The H2 Database Engine's official GitHub repository, where the source code is available for review.

2. The H2 Database Engine's official website, where you can find documentation, release notes, and support information.

3. The National Vulnerability Database (NVD) entry for this disputed issue provides a summary, affected versions, and impact metrics.

Exploit Details

The potential security issue arises when a user or attacker with local access to the system running the H2 Database Engine can list processes and their arguments. One widely available command to perform this task is the ps command on Unix-like systems. The attacker can run the command similar to this:

ps -aux | grep -i "h2.webAdminPassword"

By using this approach, the attacker may see the web-based admin console password in cleartext, as shown in the output:

user      12345  .5  .3  987654  123456 ?        Ssl  12:34   :01 java -jar h2.jar -web -webAdminPassword myPassword

However, as mentioned earlier, the vendor disputes that this is a vulnerability. They argue that passwords should not be passed on the command line, and DBAs and system administrators should know better.

Conclusion

Although the H2 Database Engine allows specifying the web-based admin console password in cleartext via the -webAdminPassword argument, the vendor disputes that this is a vulnerability. They maintain that DBAs and system administrators should not pass passwords on the command line.

Regardless of the ongoing dispute, it is essential to be aware of the possible security implications of passing cleartext passwords in any software system. Users and administrators should avoid providing sensitive information on the command line where it can be easily discovered by other users or attackers that have gained local access.

Timeline

Published on: 11/23/2022 21:15:00 UTC
Last modified on: 07/18/2023 18:15:00 UTC