Remote Code Execution in H2 Console JNDI - (CVE-2021-42392)

Cyber Security tips and recommendations
Post Reply
MikePeller
Site Admin
Posts: 124
Joined: Fri Dec 02, 2005 9:39 am
Location: Tucson
Contact:

Remote Code Execution in H2 Console JNDI - (CVE-2021-42392)

Post by MikePeller »

Remote Code Execution in H2 Console JNDI - (CVE-2021-42392) – FortiGuard Labs is aware of a newly discovered vulnerability in H2 database software. The vulnerability is an unauthenticated remote code execution in the H2 database console, and similar to Log4j, it is JNDI-based and has an exploit vector similar to it. This vulnerability has been assigned CVE-2021-42392 and was found by security researchers at JFrog.
What Is an H2 Database?
H2 is a relational database management system written in Java and is open source. It can be embedded in Java applications or run in client-server mode, and data does not need to be stored on disk.
What Are the Technical Details?
In a nutshell, the vector is similar to Log4Shell, where several code paths in the H2 database framework pass unfiltered attacker controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (remote code execution). The H2 database contains a web-based console that listens for connections at http://localhost:8082. The console will contain parameters that are passed by JdbcUtils.getConnection and a malicious URL controlled by the attacker.
This vulnerability affects systems with the H2 console installed. The vulnerability does not affect machines with the H2 database installed in standalone mode. The vulnerability (by default) looks for connections from localhost, or a non-remote connection. However, this vulnerability can be modified to listen for remote connections, therefore allowing susceptibility to remote code execution attacks
Post Reply