Researchers have discovered a critical RCE flaw similar to Log4Shell in H2 database console, it can result in remote code execution similar to “Log4Shell” vulnerability that came to light last month.
The vulnerability is being tracked as CVE-2021-42392, according to JFrog researchers Andrey Polkovnychenko and Shachar Menash, it is “the first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading.”
H2 happens to be an open-source relational database management system and written in Java can be embedded in applications or run in a client-server model. Maven Repository claims the H2 database engine is used by 6,807 artifacts.
Java Naming and Directory Interface or JNDI is an API that provides naming and directory functionality for Java applications and can be used in conjunction with LDAP to locate a specific resource that it might need.
Log4Shell on the other hand enables runtime lookups to servers, both inside and outside the network. These can be weaponized to allow unauthenticated remote code execution and implant malware on the server. This can be achieved by crafting a malicious JNDI lookup as input to any Java application that uses vulnerable versions of the Log4j library to log it.
According to Menashe, senior director of JFrog security research, “Similar to the Log4Shell vulnerability uncovered in early December, attacker-controlled URLs that propagate into JNDI lookups can allow unauthenticated remote code execution, giving attackers sole control over the operation of another person or organization’s systems,”.
H2 database versions 1.1.100 to 2.0.204 are vulnerable, while flaws in version 2.0.206 shipped on January 5, 2022, have been addressed.
Menashe further added, “The H2 database is used by many third-party frameworks, including Spring Boot, Play Framework, and JHipster. While this vulnerability is not as widespread as Log4Shell, it can still have a dramatic impact on developers and production systems if not addressed accordingly.”
Hackers Target Real Estate Websites with Skimmers
Apple’s iOS Mobile Operating System is Vulnerable to New HomeKit ‘doorLock’ Bug
SlimPay fined €180k after having 12 million customers’ data publicly accessible for five years.