Application security, Asset Management, Incident Response

Researchers discover new JNDI-based vulnerability similar to Log4j

(“Coding Javascript” by Christiaan Colen is licensed under CC BY-SA 2.0)

DevOps firm JFrog disclosed a vulnerability in the console for H2, a popular Java SQL database offering, that comes from the same root JNDI problem as Log4j. It is the first of what will likely be several discoveries as researchers try to replicate the Log4j problem in similarly structured software.

JFrog was quick to say that the H2 console vulnerability, while technically related to Log4j and critical in its own right, should not be viewed as being as disastrous.

Although this is a critical issue with a similar root cause, CVE-2021-42392 should not be as widespread as Log4Shell," the JFrog's Andrey Polkovnychenko and Shachar Menashe wrote in a blog post, later adding. "That being said, if you are running an H2 console which is exposed to your LAN (or worse, WAN) this issue is extremely critical (unauthenticated remote code execution) and you should update your H2 database to version 2.0.206 immediately."

The patched version of H2 is 2.0.206.

Like in Log4j, malicious attackers can exploit the H2 console using URLs to load external codebases.

Unlike in Log4j, writes JFrog, the vulnerability is far more limited in scope, only likely to infect the server using H2. It will be easier to find and patch. The default set up of H2 console only allows localhost connections, meaning unless software has been reconfigured, attackers would already have to be on the system to exploit it. And the vulnerability only affects the H2 console, which isn't always used when incorporating the H2 database.

JFrog garnered quick praise from outside researchers for contextualizing the relative danger of the H2 console vulnerability in a world already flustered by Log4j remediation.

"I would like to commend the JFrog team in the attention they’ve put towards avoiding unnecessary hype around this issue as well," Casey Ellis, chief technology officer and co-founder of Bugcrowd, wrote in an emailed statement. "Some research teams have opted to capitalize on a sense of panic to get their message out there, while the JFrog folks seem to have taken great care to get their message across, but not cause undue work for already overloaded security teams."

Ellis believes there are yet more JNDI vulnerabilities to come.

"Whenever [one] condition exists, it’s fairly safe to assume that 'THAT BE DRAGONS' elsewhere," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.