Remote Code Execution via Source POJO Model Import
A vulnerability in H2O-3 version 3.42.0.2 allows attackers to execute arbitrary code by uploading a malicious source POJO model. This issue, which leads to a full compromise of the system running H2O-3, was identified in the process of importing models through the web UI. The specific patch version addressing this vulnerability is not mentioned, indicating the need for users to consult the H2O-3 repository for updates.
Available publicly on Nov 16 2023
Remediation Steps
- Ensure your H2O-3 instance is updated to a version that includes the patch for this vulnerability.
- Restrict the ability to import models from external sources, if possible.
- Implement network-level controls to limit access to the H2O-3 instance, reducing the potential attack surface.
- Regularly audit and monitor the H2O-3 instance for unusual activity that could indicate exploitation attempts.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.