“H2 Security Flaw Is Critical,” Says Experts

Please find comment by security experts on the H2 database console security flaw that mirrors the Log4Shell vulnerability found in December.

Experts Comments

January 10, 2022
Felipe Duarte
Security Researcher
Appgate

The vulnerability discovered in the H2 console is considered critical, as it can allow an unauthenticated user to execute arbitrary Java code from the H2 console. Tracked under CVE-2021-42392, this flaw is caused by the same component as Log4Shell, the JNDI (Java Naming and Directory Interface) API. Although it's a critical vulnerability, this console is not commonly exposed to the internet. In fact, by default, it only executes in localhost. The exception is third-party tools like JHipster

.....Read More

The vulnerability discovered in the H2 console is considered critical, as it can allow an unauthenticated user to execute arbitrary Java code from the H2 console. Tracked under CVE-2021-42392, this flaw is caused by the same component as Log4Shell, the JNDI (Java Naming and Directory Interface) API. Although it's a critical vulnerability, this console is not commonly exposed to the internet. In fact, by default, it only executes in localhost. The exception is third-party tools like JHipster framework that expose the H2 console through other interfaces, but even then, it should still only be available on the internal network. Of course exceptions exist, and it's possible for misconfigured servers to expose H2 consoles to the internet, but that is not the general case.   

For the reasons above, we expect it to be used more as a lateral movement exploit (allowing an attacker to go deeper into the network) than as an initial infection vector (like the way Log4Shell can be used.) Log4Shell received a CVSS of 10, the highest possible, as it is potentially very destructive. Many applications implement this library at different levels, and it's only necessary for the application to log a malicious string to trigger the vulnerability.   

In summary, CVE-2021-42392 is critical, and companies need to rush to update their applications, but Log4Shell represents a much higher danger. In many applications, it can be easily triggered without access to the internal network. As Log4Shell is getting a lot of attention, we expect many other exploits using the same technique to be published, as developers and pentesters review their code. It's very important for any company developing Java-based applications to review the security of their applications, preferably with a pentest team, and to segment their network, isolating all critical servers from the internet exposed services.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.