itman 1,749 Posted January 7, 2022 Share Posted January 7, 2022 (edited) Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console Quote Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month. The issue, tracked as CVE-2021-42392, is the " first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading," JFrog researchers Andrey Polkovnychenko and Shachar Menashe said. H2 is an open-source relational database management system written in Java that can be embedded within applications or run in a client-server mode. According to the Maven Repository, the H2 database engine is used by 6,807 artifacts. The flaw affects H2 database versions 1.1.100 to 2.0.204 and has been addressed in version 2.0.206 shipped on January 5, 2022. "The H2 database is used by many third-party frameworks, including Spring Boot, Play Framework and JHipster," Menashe added. "While this vulnerability is not as widespread as Log4Shell, it can still have a dramatic impact on developers and production systems if not addressed accordingly." https://thehackernews.com/2022/01/log4shell-like-critical-rce-flaw.html Edited January 8, 2022 by itman peteyt 1 Link to comment Share on other sites More sharing options...
Recommended Posts