Exploiting H2 Database with native libraries and JNI

András Vereb

unread,

Feb 17, 2022, 10:32:41 AM2/17/22

to H2 Database

Hi,

Is this finding still relevant in 2022 with latest version 2.1.210?

code white | Blog: Exploiting H2 Database with native libraries and JNI (codewhitesec.blogspot.com)

It is also listed under sonatype-2020-1324 even for latest release.

Thank you for any comments!

Thomas Mueller Graf

unread,

Feb 17, 2022, 10:45:02 AM2/17/22

to H2 Google Group

Hi,

Yes, H2 can act as a compiler / interpreter and execute code... Same as Java: you can write a Java program that reads and writes files. And same as GCC (or any other compiler / interpreter). I wouldn't call this a "Security Vulnerability".

> https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html

The blog post makes it look like it was not intended to compile and execute code in H2... It is intended! It is part of the expected behavior. It is not "Exploiting", it is "Using". I would rename the title to

Using H2 Database to execute code in native libraries and JNI

Regards,

Thomas

--
You received this message because you are subscribed to the Google Groups "H2 Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to h2-database...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/h2-database/698d9280-52d1-4157-8be1-9a8829a2b90bn%40googlegroups.com.

András Vereb

unread,

Feb 18, 2022, 8:53:40 AM2/18/22

to H2 Database

Hi Thomas,

however I agree with you unfortunately Sonatype Data Research think otherwise as this is marked as vulnerability still and moreover with High severity (Sonatype CVSS 3:8.0). The problem is that company policies to conduct an investigation to overrule a potential false positive might be longer process than simply drop H2 and go for something else.

Anyway thank you for your comment, it helps to support my point of view when I need to explain this in detail.

Regards,

András

Thomas Mueller Graf

unread,

Feb 18, 2022, 10:34:19 AM2/18/22

to H2 Google Group

Hi,

> unfortunately Sonatype Data Research think otherwise

They are free to discuss this with us of course.

I couldn't find "Sonatype CVSS 3:8.0" or "sonatype-2020-1324", do you have a link?

Regards,

Thomas

To view this discussion on the web visit https://groups.google.com/d/msgid/h2-database/ce6a4b9b-e878-40cb-b3c7-d240751d4776n%40googlegroups.com.

Reply all

Reply to author

Forward