IT administrators with the open-source Java-based H2 SQL database in their environments are being urged to update to the latest version after the discovery of an “extremely critical” vulnerability in its console.
Researchers at JFrog said this week the vulnerability – CVE-2021-42392 — has the same root cause as the Log4Shell vulnerability in Apache Log4j2: a flaw in the Java Naming and Directory Interface (JDNI) that could allow unauthenticated remote control access. In this case it’s to the H2 database console.
The alert recommends that users immediately update to the latest version of H2, version 2.0.206. Implementations that expose an H2 console to a local or wide area network are at great risk.
The alert also notes some application developer tools use H2 databases that expose the H2 console. These tools could be at risk of spreading malware through supply chain attacks, the researchers warn, another reason why their databases should be updated.
The researchers add that the vulnerability in H2 shouldn’t be as widespread as Log4Shell because
–unlike Log4Shell, this vulnerability has a “direct” scope of impact. This means that typically the server that processes the initial request (the H2 console) will be the server that gets impacted with RCE. This is less severe compared to Log4Shell since the vulnerable servers should be easier to find;
–on vanilla distributions of the H2 database, by default the H2 console only listens to localhost connections – making the default setting safe. This is unlike Log4Shell which was exploitable in the default configuration of Log4j. However, researchers add, the H2 console can easily be changed to listen to remote connections as well.
–many vendors may run the H2 database but not the H2 console. Although there are other vectors to exploit this issue other than the console, these other vectors are context-dependent and less likely to be exposed to remote attackers.
“We recommend all users of the H2 database to upgrade to version 2.0.206, even if you are not directly using the H2 console,” the researchers say. “This is due to the fact that other attack vectors exist, and their exploitability may be difficult to ascertain.”
JFrog describes H2 as a very popular open-source Java SQL database offering a lightweight in-memory solution that doesn’t require data to be stored on disk. This, they say, makes it a popular data storage solution for various projects, from web platforms like Spring Boot to IoT platforms like ThingWorks.
The com.h2database:h2 package is part of the top 50 most popular packages in the open Maven Repository, with almost 7,000 artifact dependencies, says JFrog. This repository holds all the dependencies such as jars (Java archives), library files, plugins, or other artifacts that will be required by programming projects for use by developers.
Researchers say the root cause of the H2 console vulnerability is similar to Log4Shell – several code paths in the H2 database framework pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (also known as Java code injection, or remote code execution).
The most severe attack vector of this issue is through the web-based H2 console, say researchers. While access to the console is protected by a login form, the username and password are not validated before performing a lookup with a potentially malicious URL.
