In 2022, a security concern was raised regarding how H2 Database Engine, up to version 2.1.214, allows users to start its web-based admin console with a cleartext password using the -webAdminPassword argument. This was tracked as CVE-2022-45868, but it was quickly marked DISPUTED by the H2 project. In this post, we'll break down what the issue is, why it's controversial, potential risks and how this argument can actually leak secrets, all explained in simple American language.
What is H2 Database Engine?
H2 Database Engine is a popular open-source, lightweight Java SQL database. Many developers use it for both quick development and even production microservices because it’s fast and easy to set up.
A handy feature is its browser-based admin console, which lets you check your database from a convenient web interface.
When you start H2’s admin console via the command line, you can set an admin password directly
java -cp h2.jar org.h2.tools.Console -webAdminPassword SuperSecret123
The problem?
Everything after the program name is visible to other users on the same server. On almost every operating system, anyone with local access can see all command-line arguments of running processes.
Suppose an admin starts H2 with
java -cp h2.jar org.h2.tools.Console -webAdminPassword SuperSecret123
Anyone else can do
ps aux | grep h2
Sample output
joe 1111 2. 1.2 123456 56789 ? Ssl 09:00 :00 java -cp h2.jar org.h2.tools.Console -webAdminPassword SuperSecret123
Here, SuperSecret123 is exposed to *everyone* with a shell on this machine.
Example: Windows
On Windows, running wmic process list or using Task Manager with detailed columns also reveals the command-line arguments.
The Vendor’s Response
The H2 development team quickly responded, as noted here in their GitHub issue comment:
> "This is not a vulnerability of H2 Console. Command line arguments can be seen by local users with appropriate permissions; it's a property of UNIX / Windows OS. Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."
They make a valid point: don’t put secrets in the command line! This is solid advice for not only H2 but pretty much every CLI tool.
Not H2's fault: The underlying risk comes from *how the OS works*, not a code bug in H2.
2. Admin error vs. Software flaw: There are often safer alternatives, like environment variables or interactive prompts.
3. Industry best practices are clear: never pass sensitive data (like passwords or API keys) via command line arguments.
Exploit Details
Let’s walk through how an attacker could gain the admin console password in real life on a shared Linux server.
Step 1: Hijack User Session
Suppose a non-root user has gained shell access or a low-privilege account (maybe a developer or QA).
They run
ps aux | grep Console
Output
john 24351 .2 3.1 172400 12820 ? S 12:10 :01 java -cp h2.jar org.h2.tools.Console -webAdminPassword SuperSecret123
Now they know SuperSecret123 is your admin password.
Step 3: Login to the Console
The attacker then navigates in their browser to http://localhost:8082 (default H2 web console port), logs in with the exposed password, and can access and modify your databases.
Note: The attacker does NOT need to be root or have system administrator access—just local access to any user account.
Don't do this
java -cp h2.jar org.h2.tools.Console -webAdminPassword SuperSecret123
For example
java -cp h2.jar org.h2.tools.Console -webAdmin
# The application prompts: "Enter webAdmin password:"
Or, better yet, use environment variables if supported
export H2_WEB_ADMIN_PASSWORD=SuperSecret123
java -cp h2.jar org.h2.tools.Console
*(Note: Check H2’s docs for current support for env vars.)*
References
- NVD Entry for CVE-2022-45868
- H2 Database official statement / GitHub issue
- H2 Database Console Docs
Conclusion
While CVE-2022-45868 raised important awareness about protecting sensitive data like passwords, it’s not a bug in H2 itself. Always remember—never pass passwords via command line arguments, no matter what program you’re running. If you’re an admin or a developer, treat your tools as if everyone can see your options (because on a shared system, they can).
Bottom line:
Security is everyone’s responsibility—not just the software vendor’s.
Timeline
Published on: 11/23/2022 21:15:00 UTC
Last modified on: 07/18/2023 18:15:00 UTC