CVE-2022-39361 - Remote Code Execution (RCE) in Metabase Prior to Versions .44.5, 1.44.5, .43.7, 1.43.7, .42.6, 1.42.6, .41.9, and 1.41.9 due to H2 (Sample Database) Vulnerability

Metabase is a well-known open-source data visualization software that helps businesses analyze, visualize, and share data insights, making it easier for users to interact with data and make informed decisions. However, a severe security issue has come to light in the software under the identifier CVE-2022-39361. This vulnerability could allow remote code execution (RCE) in Metabase, specifically on its H2 (Sample Database) module, prior to the mentioned versions. This post will discuss the nature of the vulnerability, how it can be triggered, and measures to protect your Metabase environment from potential attacks.

Vulnerability Details

Before the software versions .44.5, 1.44.5, .43.7, 1.43.7, .42.6, 1.42.6, .41.9, and 1.41.9, Metabase allowed users to write SQL queries on the H2 (Sample Database) module. This functionality could be exploited to enable remote code execution (RCE) by malicious actors who can abuse the querying capabilities in the H2 databases.

Original references

- CVE-2022-39361 - Metabase RCE vulnerability
- Metabase GitHub Repository

Code Snippet

A malicious user might execute an SQL query like the following to perform a remote code execution attack:

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
  java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A");
  return s.hasNext() ? s.next() : "";  }$$;
CALL SHELLEXEC('your-command-here');

By executing this seemingly innocuous query, the cyber attacker could exploit H2 databases to access system resources, perform unauthorized actions, exfiltrate sensitive data, or even bring down the Metabase application altogether.

Exploit Details

This vulnerability is particularly dangerous considering that Metabase has permissions to execute arbitrary Java code in the H2 database, which could severely hamper confidentiality, integrity, and availability of the organization's data.

If a user has adequate privileges, they can craft and submit a well-formed SQL query that contains malicious code, which will then be executed on the H2 database. It's important to note that the exploitable action would be performed under the privileges of the Metabase software, not the attacker's, amplifying the potential risk and impact.

Security Patches and Recommendations

The Metabase team has addressed this vulnerability in the following versions: .44.5, 1.44.5, .43.7, 1.43.7, .42.6, 1.42.6, .41.9, and 1.41.9. The most effective course of action is to update your Metabase instance to the latest security patch, which disallows DDL statements in H2 native queries, effectively eliminating the risk of remote code execution through this vulnerability.

If your organization is using an affected version of Metabase, upgrading to the latest security patch is crucial to ensure the safety and integrity of your data. Additionally, perform regular software vulnerability assessments, monitor user activity, and restrict unnecessary access to sensitive databases to minimize the potential impact of such vulnerabilities in the future.

In summary, CVE-2022-39361 is a severe vulnerability affecting older versions of Metabase's H2 (Sample Database) module by allowing remote code execution through SQL queries. By staying vigilant and keeping your Metabase instance up to date, you can protect your organization from this and other potential security threats.

Timeline

Published on: 10/26/2022 19:15:00 UTC
Last modified on: 10/28/2022 16:43:00 UTC