While the Log4j chaos is finally calming, some new critical flaws emerge to threaten the IT world. The new vulnerability on the H2 database console tracked as CVE-2021-42392 is quite similar to the Log4j flaw. It is based on JNDI remote class loading, the same as the first and most impactful version of the Log4j flaws. Fortunately, the H2 database is not widely-used as Java itself.
Almost 7000 artifacts are using the H2
The open-source Java SQL database management system, H2, can be either embedded in the applications or it can run in client/server mode. The H2 system is written in Java. It is a lightweight solution because it does not require stored data on the disk. H2 is popular; it is one of the top 50 most popular Maven packages.
While being quite popular, which is also almost “nothing” compared to the Log4j, the H2 database console flaw is quite limited. Because in the default configuration of the H2 database console, the vulnerability is not exploitable in contrast to Log4j, which was exploitable in its default config. On the other hand, running the H2 console, which carries the CVE-2021-42392 flaw, is not essential to running the H2 database; this also eliminates some of the attack vectors. There are some other vectors to exploit this issue, but those vectors are context-depended, which makes them harder to exploit.
The vulnerability only affects the H2 versions between 1.1.100 and 2.0.204. Updating to the 2.0.206 version fixes the related risks.
Is my database affected by the CVE-2021-42392 flaw?
If your H2 database version is between 1.1.100 and 2.0.204, and you are using it in a non-default configuration, then yes, most likely.
How do I fix my H2 database for the CVE-2021-42392 flaw?
To fix the CVE-2021-42392 flaw on the H2 database console, you should update it to the 2.0.206 version, which was released on January 4th.
Is there a tool to check my H2 database for the CVE-2021-42392 flaw?
Yes, Cyber Security Works Research Labs has released a tool on GitHub to detect the vulnerability.
- Microsoft and FTC warns users against continued Log4j attacks
- Microsoft has enhanced Defender for Log4j vulnerabilities
- Apache Log4j 2.17.1 is released to fix a new flaw
- Two new vulnerabilities are found on Log4j, only one of them is fixed yet
- CISA published an emergency directive for Log4j
- Google joining the war against Log4j exploits
- Hackers exploit Log4j to inject Monero miners, shifting from LDAP to RMI
- A third, new Apache Log4j vulnerability is discovered
- How to scan your server to detect Log4j (Log4Shell) vulnerability
- The Log4j flaw is patched but it is still vulnerable
- CISA published Log4j vulnerability guidance
- Zero-day Apache Log4j RCE vulnerability (Log4Shell) is being exploited