H2O.ai H2O-3 Pre-Authentication Insecure Deserialization Vulnerability in Binary Model Import Allows Remote Code Execution

A critical pre-authentication vulnerability allowing insecure deserialization has been identified in H2O.ai H2O-3 versions prior to 7402. This issue arises in the JAR Handler component, specifically within the 'importBinaryModel' function of 'Model.java'. The vulnerability can be exploited remotely by uploading a malicious JAR file that is then executed on the server during model scoring. The deserialization flaw was confirmed through a proof-of-concept that demonstrated the execution of attacker-controlled code via a restored reference to a custom metric function.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on the H2O-3 server within the Java Virtual Machine, potentially leading to a full compromise of the application process and access to sensitive data. The vulnerability was assigned a CVSS score of 9.8, indicating critical severity.

Reproduction

The vulnerability can be reproduced by uploading a malicious JAR file to the Distributed Key-Value (DKV) store using the '/3/PutKey.bin' endpoint. After uploading, a model can be trained with a reference to the malicious JAR as a custom metric function. Once the model is exported as a binary file, the original model can be deleted and the binary model re-imported. During scoring, the malicious code is executed, demonstrating the successful exploitation of the vulnerability.

Remediation

To address this vulnerability, it is recommended to require authentication and strong authorization for high-risk endpoints related to model import, export, and scoring. Additionally, untrusted model files should not be deserialized using generic methods. Instead, a safe format should be used that excludes executable references. After deserialization, all imported model parameters should be revalidated and any dynamic class-loading references rejected. Consider disabling user-provided code loading from DKV by default, unless needed in trusted environments.