Urgent: Upgrade your Metabase installation now. H2-related remote code execution found

TL;DR: Upgrade your Metabase installation IMMEDIATELY. (Again)

We’re back with yet another H2 related vulnerability. We’ve patched a number of vulnerabilities, and are also removing H2 as one of our supported databases. Read more below.

What is the vulnerability?

The core issue is that one of our supported data warehouses (an embedded in-memory database H2) exposes a number of ways for a connection string to include code executed by the process running the embedded database. Because we allow users to connect to databases, this means that a user supplied string can be used to inject executable code.

We allow users to validate their connection string before adding a database (including on setup). This validation API was the primary vector used as it can be called without validation.

We had previously sanitized user input to remove the init command which allowed code execution. In a string of one week, we were informed of three successive vulnerabilities related to the H2 connection string handling by independent security researchers. We fixed each of these in turn.

Due to security concerns, Metabase no longer supports H2 as an official database

Due to the variety of these attacks and the lack of usage of this database driver, we are removing the ability for users to add H2 databases entirely. We believe that continuing to apply user input sanitation bandaids on top of an insecure core problem is irresponsible, so we are removing this functionality from our application. From this release on, you won’t be able to add a new connection to an H2 database. We made this decision after learning about critical vulnerabilities discovered in H2.

Important details

Metabase X.43 and higher are at risk

We know you just upgraded to patch a previous vulnerability, but you should upgrade again to safeguard against this additional severe vulnerability. The exploit is in the wild, so you should upgrade your Metabase as soon as possible. See our security advisory.

If you are a self-hosted Metabase Enterprise customer

You can access the latest patched release version at:

• JAR: https://downloads.metabase.com/enterprise/v1.49.7/metabase.jar
• Docker image via metabase/metabase-enterprise:latest or metabase/metabase-enterprise:v1.49.7.

If you are self-hosting Metabase’s open-source edition

You can access the latest patched release version at:

• JAR: https://downloads.metabase.com/v0.49.7/metabase.jar
• Docker image via metabase/metabase:latest or metabase/metabase:v0.49.7.

If you’re running older versions (43, 44, or 45)

Upgrade to:

• v0.45.4.3 and v1.45.4.3
• v0.44.7.3 and v1.44.7.3
• v0.43.7.3 and v1.43.7.3

See Metabase releases and our docs on upgrading.

If you are on a version of Metabase older than 0.43

You are unaffected by this vulnerability. There are, however, a great many other security and bug fixes since then, and we strongly recommend you upgrade to the latest version as soon as you can.

If you are a Metabase Cloud customer

We have blocked the vulnerable endpoints and are applying the latest patch to your Metabase instance. We are also carefully auditing all of our systems for unauthorized access.

If you are using H2 as an application database for Metabase

You are unaffected. The vulnerabilities were confined to H2’s initial connection and setup, an attack surface that the embedded H2 database doesn’t expose.

If you’re using an H2 database in production, we recommend switching to another database

If you have an existing connection to an H2 database, you’ll still be able to connect to that database with Metabase. But we strongly encourage you to migrate your data from your H2 database to another database.

Thanks to AssetNote, Qing, and Reginaldo, and Calif for uncovering and alerting us to the vulnerabilities

Finally, a thank you to the security researchers and others in our community who helped us find these vulnerabilities.

Credit goes to:

• Shubham Shah and Maxwell Garrett at Assetnote, for discovering the initial vulnerability.
• Chaitin Security Response Institute and independent security researcher bluE0, for reporting a separate attack vector.
• Reginaldo Silva , for another, and different, attack vector.
• Duc Nguyen and Jang Nguyen from the Calif.io team, for another attack vector.

Thanks for keeping open-source software secure.