Security News > 2022 > January > Log4J-Related RCE Flaw in H2 Database Earns Critical Rating

Researchers discovered a bug related to the Log4J logging library vulnerability, which in this case opens the door for an adversary to execute remote code on vulnerable systems.

JFrog security discovered the flaw and rated critical in the context of the H2 Java database console, a popular open-source database, according to a Thursday blog post by researchers.

The root cause of the H2 flaw is based in JNDI remote class loading, making it similar to Log4Shell in that it allows several code paths in the H2 database framework pass unfiltered attacker-controlled URLs to the javax.

Unlike Log4Shell, the H2 flaw has a "Direct" scope of impact, meaning that typically the server that processes the initial request-that is, the H2 console-will feel the direct brunt of the remote code execution bug, researchers wrote in a post published Thursday.

Thirdly, while many vendors may be running the H2 database, they may not run the H2 console with it, JFrog researchers said.

Still, JFrog researchers said that many developer tools rely on the H2 database and specifically expose the H2 console.

News URL

https://threatpost.com/log4j-related-flaw-h2-database/177448/