search

sonatype / nexus-public

Sonatype Nexus Repository Open-source codebase mirror
https://www.sonatype.com/products/repository-oss-download
Eclipse Public License 1.0
1.84k stars 557 forks source link

Patched Fix H2 console vulnerable to Remote Code Execution (RCE) #342

Closed imhunterand closed 4 months ago

imhunterand commented 4 months ago

Description 🐛

Affected versions of this project sonatype/nexus-public are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).

                    throw new SQLException("Driver " + driver + " is not suitable for " + url, "08001");
                } else if (javax.naming.Context.class.isAssignableFrom(d)) {
                    if (!url.startsWith("java:")) {
                        throw new SQLException("Only java scheme is supported for JNDI lookups", "08001");
                    }
        } catch (SQLException e) {
            assertEquals("08001", e.getSQLState());
        }
        try {
            JdbcUtils.getConnection("javax.naming.InitialContext", "ldap://localhost/ds", "sa", "");
            fail("Expected SQLException: 08001");
        } catch (SQLException e) {
            assertEquals("08001", e.getSQLState());
            assertEquals("Only java scheme is supported for JNDI lookups", e.getMessage());
        }

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

nblair commented 4 months ago

Thanks @imhunterand for opening a pull request. The vulnerability you cite is implicated by the version of H2 currently included in release versions of Nexus Repository (see https://nvd.nist.gov/vuln/detail/CVE-2021-42392). We are aware of this association and have mitigating controls in place to prevent it from being relevant. Please review our Dependencies with No Impact disclosures page to see it and other affected dependencies.

Upgrading the version of H2 used by Nexus Repository is a far larger effort than is shown here and is currently on our roadmap for this year. Please subscribe to our release notes to know when it becomes available.

Lastly, Sonatype uses HackerOne to allow people like yourself to responsibly disclose security vulnerabilities. As you can appreciate, if this was a real RCE, disclosing this publicly before a fix is available in place would potentially put deployments all over the world at immediate risk with no way of solving the problem. If you believe you have found a security vulnerability, please use our Bug Bounty Program to disclose responsibly.