H2O-3 Remote Code Execution Vulnerability via Deserialization in JDBC Connection Parameters

A deserialization vulnerability allowing remote code execution (RCE) has been identified in the H2O-3 REST API, specifically in the 'ImportSQLTable' endpoint. This issue affects all versions prior to 3.46.0.7 and arises from improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present in the MySQL JDBC Driver version 8.0.19 and JDK version 8u112.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where H2O-3 is running.

Reproduction

To reproduce this vulnerability, upload a malicious JDBC connection string to the 'ImportSQLTable' endpoint. The connection string must include disallowed parameters such as 'autoDeserialize' and 'queryInterceptors', which can bypass the application's parameter validation. Once the crafted connection string is processed, the deserialization vulnerability can be exploited to execute arbitrary code on the server.

Remediation

Users can update to H2O-3 version 3.46.0.8 or later, where this vulnerability has been fixed.