Critical flaw in the H2 open up-source Java SQL database are comparable to the Log4J vulnerability, but do not pose a popular menace.
Researchers learned a bug connected to the Log4J logging library vulnerability, which in this circumstance opens the door for an adversary to execute remote code on vulnerable programs. Having said that, this flaw does not pose the similar risk as the previously determined in Log4Shell, they reported.
JFrog security found out the flaw and rated critical in the context of the H2 Java databases console, a well known open up-supply database, in accordance to a Thursday blog write-up by researchers.
H2 is beautiful to developers for its light-weight in-memory solution–which precludes the necessity for knowledge to be stored on disk—and is utilised in web platforms these kinds of as Spring Boot and IoT platforms these types of as ThingWorks.
Even so, the flaw (CVE-2021-42392) is related to Log4Shell. “[I]t should really not be as widespread” thanks to a few situations and things, JFrog scientists Andrey Polkovnychenko and Shachar Menashe wrote in their publish.
Log4Shell (CVE-2021-44228) was tied to the Apache Log4j logging library in early December and promptly exploited by attackers. It spawned 60 variants of the unique exploit established for the flaw in a 24-hour interval as perfectly as a faulty take care of that could induce DoS attacks when it was first unveiled.
How is the H2 Bug Very similar to Log4J?
The root trigger of the H2 flaw is dependent in JNDI remote course loading, building it related to Log4Shell in that it allows several code paths in the H2 database framework move unfiltered attacker-controlled URLs to the javax.naming.Context.lookup purpose. This makes it possible for for distant codebase loading, also recognized as Java code injection or distant code execution, researchers reported.
“Specifically, the org.h2.util.JdbcUtils.getConnection approach usually takes a driver class title and database URL as parameters,” they described in the article. “If the driver’s class is assignable to the javax.naming.Context course, the technique instantiates an object from it and phone calls its lookup system.”
Causes to Be Wary, but Not Panic
Having said that, in contrast to Log4Shell, the H2 flaw has a “direct” scope of impact, meaning that generally the server that procedures the original request—that is, the H2 console—will feel the direct brunt of the distant code execution (RCE) bug, researchers wrote in a submit posted Thursday.
“This is less extreme in contrast to Log4Shell considering that the susceptible servers should really be less difficult to obtain,” researchers wrote.
Secondly, by default on vanilla distributions of the H2 databases, the H2 console only listens to localhost connections, consequently making the default environment secure, they mentioned.
“This is in contrast to Log4Shell which was exploitable in the default configuration of Log4j,” researchers wrote. However, the H2 console can conveniently be modified to hear to remote connections as effectively, which would widen the risk, scientists extra.
Certainly, this factor of the execution of the flaw certainly lessens its severity in comparison to the Log4j issue, mentioned a single security professional.
“Log4j was distinctive in that any selection of attack-manipulated strings, from headers to URL paths, could end result in exploitation of the sufferer based on how the application was set up to make use of logging with Log4j,” Matthew Warner, CTO and co-founder at automated risk detection and response technology provider Blumira, wrote in an email to Threatpost. “In this scenario, the H2 database console need to be purposefully exposed to the internet by transforming the configuration.”
Thirdly, even though a lot of distributors may well be jogging the H2 databases, they could not operate the H2 console with it, JFrog researchers said. There are other attack vectors that can exploit the H2 flaw nevertheless, they are “context-dependent and significantly less possible to be uncovered to distant attackers,” researchers observed.
Who Is At Risk?
If the H2 flaw does not deserve the same alarm as Log4Shell, why is it really worth noting, just one may possibly ask. The JFrog crew reported that it can be incredibly critical and let for unauthenticated RCE to all those operating an H2 console exposed to a area area network (LAN) or, even even worse, a vast region network (WAN). In truth, attacking the H2 console immediately is the most serious attack vector, researchers said.
Blumira’s Warner explained that according to open-supply intelligence (OSINT), there are possible considerably less than 100 servers on the internet impacted by the H2 flaw, “so only a pretty constrained variety of organizations” are instantly affected, he stated.
“This vulnerability is a good reminder that it is critical to assure that sensitive providers are only internally exposed to mitigate likely long run challenges,” Warner additional.
Still, JFrog scientists said that several developer tools count on the H2 databases and exclusively expose the H2 console. This is worrying because of to the “recent trend of offer chain attacks focusing on developers, these as destructive packages in well-liked repositories.”
These attacks emphasize “the great importance of developer instruments staying created safe for all fair use conditions,” researchers wrote, which is why they hope numerous H2-dependent instruments will be safer after making use of their advisable deal with.
On that position, the JFrog team endorses that all users of the H2 database to up grade to variation 2..206, which fixes CVE-2021-42392 by restricting JNDI URLs to use the nearby java protocol only, denying any distant LDAP/RMI queries, researchers defined.
“This is equivalent to the deal with used in Log4j 2.17.,” they wrote.
Even these not specifically utilizing the H2 console should update “due to the reality that other attack vectors exist, and their exploitability may be tough to verify,” researchers added.
Password Reset: On-Need Function: Fortify 2022 with a password-security strategy designed for today’s threats. This Threatpost Security Roundtable, created for infosec gurus, centers on company credential administration, the new password fundamentals and mitigating publish-credential breaches. Join Darren James, with Specops Computer software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Sign-up & stream this Free session nowadays – sponsored by Specops Application.
Some pieces of this post are sourced from: