Security News > 2022 > January > Log4J-Related RCE Flaw in H2 Database Earns Critical Rating
Researchers discovered a bug related to the Log4J logging library vulnerability, which in this case opens the door for an adversary to execute remote code on vulnerable systems.
JFrog security discovered the flaw and rated critical in the context of the H2 Java database console, a popular open-source database, according to a Thursday blog post by researchers.
The root cause of the H2 flaw is based in JNDI remote class loading, making it similar to Log4Shell in that it allows several code paths in the H2 database framework pass unfiltered attacker-controlled URLs to the javax.
Unlike Log4Shell, the H2 flaw has a "Direct" scope of impact, meaning that typically the server that processes the initial request-that is, the H2 console-will feel the direct brunt of the remote code execution bug, researchers wrote in a post published Thursday.
Thirdly, while many vendors may be running the H2 database, they may not run the H2 console with it, JFrog researchers said.
Still, JFrog researchers said that many developer tools rely on the H2 database and specifically expose the H2 console.
News URL
https://threatpost.com/log4j-related-flaw-h2-database/177448/
Related news
- Apache issues patches for critical Struts 2 RCE bug (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)