• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console

You are here: Home / General Cyber Security News / Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console
January 7, 2022

H2 Database Console

Scientists have disclosed a security flaw influencing H2 database consoles that could outcome in remote code execution in a manner that echoes the Log4j “Log4Shell” vulnerability that came to mild previous month.

The issue, tracked as CVE-2021-42392, is the ” first critical issue printed given that Log4Shell, on a component other than Log4j, that exploits the exact root trigger of the Log4Shell vulnerability, namely JNDI distant class loading,” JFrog scientists Andrey Polkovnychenko and Shachar Menashe reported.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Automatic GitHub Backups

H2 is an open-source relational database administration program composed in Java that can be embedded inside of applications or run in a client-server manner. In accordance to the Maven Repository, the H2 databases engine is made use of by 6,807 artifacts.

JNDI, short for Java Naming and Listing Interface, refers to an API that supplies naming and listing operation for Java applications, which can use the API in conjunction with LDAP to identify a certain resource that it may well have to have.

H2 Database Console

In the circumstance of Log4Shell, this feature enables runtime lookups to servers, each inside and outside the house the network, which, in flip, can be weaponized to enable unauthenticated remote code execution and implant malware on the server by crafting a malicious JNDI lookup as input to any Java application that makes use of vulnerable variations of the Log4j library to log it.

“Very similar to the Log4Shell vulnerability uncovered in early December, attacker-controlled URLs that propagate into JNDI lookups can permit unauthenticated remote code execution, giving attackers sole manage in excess of the operation of one more particular person or organization’s programs,” Menashe, senior director of JFrog security research, defined.

Prevent Data Breaches

The flaw impacts H2 databases versions 1.1.100 to 2..204 and has been addressed in version 2..206 shipped on January 5, 2022.

“The H2 databases is utilized by numerous 3rd-party frameworks, together with Spring Boot, Enjoy Framework and JHipster,” Menashe added. “Whilst this vulnerability is not as common as Log4Shell, it can still have a dramatic impact on builders and manufacturing devices if not resolved accordingly.”

Uncovered this posting interesting? Stick to THN on Fb, Twitter  and LinkedIn to browse additional exceptional content material we post.


Some elements of this posting are sourced from:
thehackernews.com

Previous Post: «france fines google, facebook €210 million over privacy violating tracking France Fines Google, Facebook €210 Million Over Privacy Violating Tracking Cookies
Next Post: Majority of Americans say ransomware attacks should be considered terrorism majority of americans say ransomware attacks should be considered terrorism»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • State of Cybersecurity Report 2022 Names Ransomware and Nation-State Attacks As Biggest Threats
  • Twitter Fined $150 Million for Misusing Users’ Data for Advertising Without Consent
  • Organizations Urged to Fix 41 Vulnerabilities Added to CISA’s Catalog of Exploited Flaws
  • Interpol Arrest Leader of SilverTerrier Cybercrime Gang Behind BEC Attacks
  • Lumos System Can Find Hidden Cameras and IoT Devices in Your Airbnb or Hotel Room
  • Link Found Connecting Chaos, Onyx and Yashma Ransomware
  • Zoom Patches ‘Zero-Click’ RCE Bug
  • Messages Sent Through Zoom Can Expose People to Cyber-Attack
  • Verizon Report: Ransomware, Human Error Among Top Security Risks
  • How Secrets Lurking in Source Code Lead to Major Breaches

Copyright © TheCyberSecurity.News, All Rights Reserved.