Researchers Warn of New Log4Shell-Like Java Vulnerability

Researchers Warn of New Log4Shell-Like Java Vulnerability

Security researchers are warning of a critical new Java bug with the same root cause as the notorious Log4Shell vulnerability currently being exploited around the globe.

CVE-2021-42392 has yet to be officially published in the National Vulnerability Database (NVD), but according to JFrog, it impacts the console of the popular H2 Java SQL database.

The security firm urged any organization currently running an H2 console exposed to their LAN or WAN to update the database immediately to version 2.0.206 or risk attackers exploiting it for unauthenticated remote code execution (RCE).

Like Log4Shell, the bug relates to JNDI (Java Naming and Directory Interface) “remote class loading.” JNDI is an API that provides naming and directory functionality for Java apps. It means that if an attacker can get a malicious URL into a JNDI lookup, it could enable RCE.

“In a nutshell, the root cause is similar to Log4Shell – several code paths in the H2 database framework pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (AKA Java code injection AKA remote code execution),” JFrog explained.

“Specifically, the org.h2.util.JdbcUtils.getConnection method takes a driver class name and database URL as parameters. If the driver’s

Read More: