Security researchers warn of a critical new bug in Java with the same root cause as the Log4Shell vulnerability that is currently being exploited worldwide. Classified as CVE-2021-42392, the flaw has not yet been officially published in the National Vulnerability Database (NVD), but according to security firm JFrog, the vulnerability impacts the console of the popular H2 Java SQL database.
The company advises organizations that have been running an H2 console exposed to their local area network (LAN) or wide area network (WAN) to immediately update the database to version 2.0.206 or risk attackers exploiting it for remote execution of unauthenticated code (RCE).
Like Log4Shell, the bug is related to JNDI (Java Naming and Directory Interface) “remote class loading”. JNDI is an API that provides naming and directory functionality for Java applications. This means that if an attacker can get a malicious URL in a JNDI lookup, they can enable RCE.
“In a nutshell, the root cause is similar to Log4Shell: multiple code paths in the H2 database structure pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function, which allows remote loading of the database. code (AKA Java code injection AKA remote code execution),” explains JFrog.
According to the company, specifically the org.h2.util.JdbcUtils.getConnection method takes a driver class name and a database URL as parameters. If the driver class can be assigned to the javax.naming.Context class, the method instantiates an object from it and calls its lookup method.
JFrog points out that the vulnerability is particularly dangerous as the H2 database package is particularly popular. It is one of the top 50 most popular Maven packages with nearly 7000 artifact dependencies.