JFrog researchers Andrey Polkovnychenko and Shachar Menashereported that ,” the CVE-2021-42392 vulnerability is the first critical issue revealed since Log4Shell on a component other than Log4j that exploits the same underlying cause as the Log4Shell vulnerability, namely JNDI remote class loading.”
According to the Maven Repository, H2 is a Java-based open-source relational database management system that may be incorporated in applications or used in a client-server configuration. The H2 database engine is utilised by 6,807 artefacts.
Versions 1.1.100 through 2.0.204 of the H2 database are affected, and the problem was fixed in version 2.0.206, which was released on January 5, 2022.
JNDI (Java Name and Directory Interface) is a Java API that provides naming and directory capabilities for Java applications. The API can be used in conjunction with LDAP to locate a certain resource that a Java application may require.
Menashe, senior director of JFrog security research explained,” Attacker-controlled URLs that propagate into JNDI lookups, similar to the Log4Shell vulnerability discovered in early December, can allow unauthenticated remote code execution, giving attackers sole control over the operation of another person’s or organization’s systems.
In the case of Log4Shell, this feature enables runtime lookups to servers both inside and outside the network, which can be weaponized to allow unauthenticated remote code execution and the installation of malware on the server by crafting a malicious JNDI lookup as input to any Java application that logs it using vulnerable versions of the Log4j library.
Finally Menashe concluded that , “Many third-party frameworks, such as Spring Boot, Play Framework, and JHipster, employ the H2 database, While this vulnerability isn’t as ubiquitous as Log4Shell, it can still have a significant impact on developers and production systems if it isn’t addressed.”