“H2 Security Flaw Is Critical,” Says Experts

Please find comment by security experts on the H2 database console security flaw that mirrors the Log4Shell vulnerability found in December.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Felipe Duarte
Felipe Duarte , Security Researcher
InfoSec Expert
January 10, 2022 8:11 pm

<p><span lang=\"EN-US\">The vulnerability discovered in the H2 console is considered critical, as it can allow an unauthenticated user to execute arbitrary </span><span lang=\"EN-US\">Java code from the H2 console. </span><span lang=\"EN-US\">Tracke</span><span lang=\"EN-US\">d under CVE-2021-42392, this flaw is caused by the same component as Log4Shell, the JNDI (Java Naming and Directory Interface) API. Although it\’s a critical vulnerability, this console is not commonly exposed to the internet. In fact, by default, it only executes </span>in localhost. The exception is third-party tools like JHipster framework that expose the H2 console through other interfaces, but even then, it should still only be available on the internal network. Of course exceptions exist, and it\’s possible for misconfigured <span lang=\"EN-US\">servers to expose H2 consoles to the internet, but that is not the general case. </span> <u></u> <u></u></p>
<p><span lang=\"EN-US\">For the reasons above, we expect it to be used more as a lateral movement exploit (allowing an attacker to go deeper into the network) than as an initial infection vector (like the way Log4Shell can be used.) Log4Shell received a CVSS of 10, the highest possible, as it is potentially very destructive. Many applications implement this library at different levels, and it\’s only necessary for the application to log a malicious string to trigger the vulnerability. </span> <u></u><u></u><u></u> <u></u></p>
<p><span lang=\"EN-US\">In summary, CVE-2021-42392 is critical, and companies need to rush to update their applications, but Log4Shell represents a much higher danger. In </span><span lang=\"EN-US\">many applications, it can be easily triggered without access to the internal network. As Log4Shell is getting a lot of attention, we expect many other exploits using the same technique to be published, as developers and pentesters review their code. It\’s very important for any company developing Java-based applications to review the security of their applications, preferably with a pentest team, and to segment their network, isolating all critical servers from the internet exposed services.</span></p>

Last edited 10 months ago by Felipe Duarte
Would love your thoughts, please comment.x