New Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console
Threat Level Description
Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
We have observed an identified remote code execution flaw that functions in a similar manner as the Log4j “Log4Shell” vulnerability, and which affects H2 database consoles.
An attacker, by exploiting this vulnerability, could cause remote code execution, escalate his/hers access privileges and thus gain sole control over the operation of another person or organization’s systems.
H2 is a Java-based open-source relational database management system that may be incorporated in applications or used in a client-server configuration.
The vulnerability, named “JNDI remote class loading” (CVE-2021-42392), leverages the same root cause as “Log4Shell”.
Java Name and Directory Interface (JNDI) is a Java API that provides naming and directory capabilities for Java applications. The API can be used in conjunction with LDAP to locate a certain resource that a Java application may require.
In the case of “Log4Shell”, this feature enables runtime lookups to servers both inside and outside the network, which then can be weaponized to allow unauthenticated remote code execution and the installation of malware on the server by crafting a malicious JNDI lookup as input to any Java application that logs it, using vulnerable versions of the Log4j library.
Similar to the “Log4Shell” vulnerability, the root cause of the “JNDI remote class loading” vulnerability is that several code paths in the H2 database framework can pass unfiltered attacker-controlled URLs, propagated into JNDI lookups, to the javax.naming.Context.lookup function, and thus lead to remote codebase loading (java code injection/remote code execution).
Note that although this is a critical issue is not as widespread as “Log4Shell” (CVE-2021-44228) due to the following factors:
• This vulnerability, unlike “Log4Shell”, has a “direct” effect. This means that RCE will usually affect the server that processes the initial request (the H2 console). In comparison to Log4Shell, this is less serious because susceptible servers should be easier to locate.
• The H2 console only listens to localhost connections by default on vanilla H2 database releases, which is a safe setting. In contrast to “Log4Shell”, which might be exploited in Log4j’s default configuration. It’s worth mentioning, though, that the H2 console may be readily configured to listen to distant connections.
• Many suppliers may have the H2 database installed, but not the H2 console.
- H2 database versions 1.1.100 to 2.0.204
You should proceed and implement the relevant mitigations and updates provided by the vendors.
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.