Log4J-Related RCE Flaw in H2 Database Earns Critical Rating

Critical flaw in the H2 open-source Java SQL database are similar to the Log4J vulnerability, but do not pose a widespread threat.

Researchers discovered a bug related to the Log4J logging library vulnerability, which in this case opens the door for an adversary to execute remote code on vulnerable systems. However, this flaw does not pose the same risk as the previously identified in Log4Shell, they said.

JFrog security discovered the flaw and rated critical in the context of the H2 Java database console, a popular open-source database, according to a Thursday blog post by researchers.

H2 is attractive to developers for its lightweight in-memory solution–which precludes the requirement for data to be stored on disk—and is used in web platforms such as Spring Boot and IoT platforms such as ThingWorks.

However, the flaw (CVE-2021-42392) is similar to Log4Shell. “[I]t should not be as widespread” due to a few conditions and factors, JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote in their post.

Log4Shell (CVE-2021-44228) was tied to the Apache Log4j logging library in early December and immediately exploited by attackers. It spawned 60 variants of the original exploit created for the flaw in a 24-hour

Read More: https://threatpost.com/log4j-related-flaw-h2-database/177448/