Researchers have disclosed a security flaw affecting the H2 database console that could lead to remote code execution in a way that echoes the Log4j “Log4Shell” vulnerability that was exposed last month.
The issue is tracked as CVE-2021-42392, is “the first critical issue released since Log4Shell, on components other than Log4j, which exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe Say.
H2 is an open source relational database management system written in Java that can be embedded into applications or run in a client-server mode.according to Maven repository, the H2 database engine is used by 6,807 artifacts.
JNDI, short for Java Naming and Directory Interface, refers to an API that provides naming and directory functionality for Java applications, which can be used in conjunction with LDAP to locate specific resources it may need.
In the case of Log4Shell, this feature supports runtime lookups of servers both inside and outside the network, which in turn, can be weaponized to allow unauthenticated remote code execution, and by crafting malicious JNDI lookups as input on the server Plant malware on any Java application that uses a vulnerable version of the Log4j library to log it.
“Similar to the Log4Shell vulnerability discovered in early December, an attacker-controlled URL propagated into a JNDI lookup could allow unauthenticated remote code execution, giving an attacker the ability to individually control the operation of another person’s or organization’s system,” JFrog Security Research Senior Director Menashe, explained.
The vulnerability affects H2 database versions 1.1.100 to 2.0.204 and has been resolved in version 2.0.206 Shipped January 5, 2022.
“The H2 database is used by many third-party frameworks, including Spring Boot, Play Framework, and JHipster,” Menashe added. “While this vulnerability is not as widespread as Log4Shell, it can still have a huge impact on developers and production systems if not addressed accordingly.”
