The Jfrog security research team has discovered a vulnerability in the H2 database console. CVE-2021-42392 shares a root cause with the now infamous Log4Shell vulnerability.
H2 is a popular and open-source SQL database written in java, which offers a lightweight in-memory solution, meaning data is not required to be stored on a disk. This makes it suitable for various platforms, including IoT devices.
Like Log4j, the H2 console passes unfiltered arbitrary URLs to a class responsible for loading code bases remotely, and an attacker can abuse this to obtain remote code execution. It should be noted that authentication is not required to exploit this vulnerability.
Like Log4Shell, an attacker can exploit the H2 consoles acceptance of arbitrary URLs to achieve remote access to the underlying server. From here, they can perform a variety of malicious actions from the initial foothold, including but not limited to privilege escalation and the deployment of malware.
The following should be noted, however:
Upgrade to H2 database version 2.0.206 immediately. If remote connections are not necessary, configuring the database to listen for localhost connections only, will prevent remote exploitation.
Introducing ISO 42001 – the world’s first international management system standard focused specifically on AI.…
Data breaches and cyberattacks have become daily concerns for information security professionals and business leaders.…
It is an undeniable fact that all applications and infrastructures are essentially in need of…