JNDI Vulnerability in H2 Database Similar to Log4Shell

JFrog security researchers published a report on Thursday revealing a JNDI vulnerability located in the H2 database console, indicating the same root cause as the well-known Log4Shell bug. They also mentioned that the bug will be assigned the CVE-2021-42392.

What Is JNDI?

Java Naming and Directory Interface aka JNDI stands for an API whose role is to facilitate naming and directory range of capabilities for Java applications. The open-source Java SQL database is referred to as H2 being useful for web platform-related projects like Spring Boot or to IoT platforms projects such as ThingWorks.

About the JNDI Vulnerability

The researchers mention that the newly discovered JNDI vulnerability should not be as widespread as Log4Shell for several reasons like:

This bug is characterized by a “direct” scope of impact, meaning that the RCE will have an impact on the server that will process the initial request. The default setting is safe because the H2 console listens by default to localhost connections; The H2 database is run by many vendors, but no the same thing applies to the H2 console.

To the best of our knowledge, CVE-2021-42392 is the first JNDI-related unauthenticated RCE vulnerability to be published since Log4Shell, but

Read More: https://heimdalsecurity.com/blog/jndi-vulnerability-in-h2-database-similar-to-log4shell/