Security News > 2022 > January > Log4Shell-like security hole found in popular Java SQL database engine H2
This time, the bug isn't in Apache's beleagured Log4j toolkit, but can be found in a popular Java SQL server called the H2 Database Engine.
As a result, you can bundle the H2 SQL database code right into your own Java apps, and run your databases entirely in memory, with no need for separate server processes.
As with Log4j, of course, this means that you may have running instances of the H2 Database Engine code inside your organisation without realising it, if you use any apps or development components that themselves quietly include it.
According to H2, apps that embed the H2 engine directly into their code "Are not externally exposed", but as far as we can see this note refers only to the database engine itself when it's not running as a SQL server, and not to the web console component.
What to do? If you have apps that use the H2 Database Engine, upgrade H2 to version 2.0.206.
As far as we can see, the updated H2 Database Engine now only uses JNDI for what are essentially local Java function calls, so that remote code execution as an unexpected side-effect of using JNDI is no longer possible, neither by accident nor design.