The JFrog security research team has disclosed an issue in the H2 database console, which was issued a critical CVE — CVE-2021-42392. This issue has the same root cause as the Log4Shell vulnerability in Apache Log4j.
H2 is an open-source relational database management system written in Java that can be embedded within applications or run in a client-server model. Like in Log4Shell, this vulnerability is due to several code paths in the H2 database framework that pass unfiltered attacker-controlled URLs to a function that allows for remote code execution.
Matthew Warner, CTO and Co-Founder at Blumira, a Michigan-based provider of automated threat detection and response technology, explains, "While this vulnerability also utilizes remote JNDI class loading, it requires access that is not available with the default configuration of the H2 Database. Log4j was unique in that any number of attack-manipulated strings, from headers to URL paths, could result in exploitation of the victim depending on how the application was set up to utilize logging with Log4j. In this case, the H2 Database Console must be purposefully exposed to the internet by changing the configuration to not only listen on localhost. According to OSINT, there are likely under 100 impacted servers on the internet, so only a very limited number of organizations will be impacted by this. This vulnerability is a good reminder that it is important to ensure that sensitive services are only internally exposed to mitigate potential future risks."
For more information, please visit www.jfrog.com.