Appgate comments on H2 database console security flaw
Security researchers from software company JFrog recently discovered a critical JNDI-based vulnerability in the H2 database console exploiting a root cause similar to Log4Shell.
In a blog post, the company said that CVE-2021-42392 should not be as widespread as Log4Shell, even though it is a critical issue with a similar root cause.
Log4Shell (CVE-2021-44228) was a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021, and was publicly disclosed on 9 December 2021.
Experts described Log4Shell as the largest vulnerability ever and it affected commercial services including Amazon Web Services, Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ and many others.
Felipe Duarte, Security Researcher at Appgate, says the H2 database console security flaw "is considered critical, as it can allow an unauthenticated user to execute arbitrary Java code from the H2 console".
"Tracked under CVE-2021-42392, this flaw is caused by the same component as Log4Shell, the JNDI (Java Naming and Directory Interface) API. Although it's a critical vulnerability, this console is not commonly exposed to the internet. In fact, by default, it only executes in localhost," says Duarte. "The exception is third-party tools like JHipster framework that expose the H2 console through other interfaces, but even then, it should still only be available on the internal network. Of course exceptions exist, and it's possible for misconfigured servers to expose H2 consoles to the internet, but that is not the general case," he adds.
Duarte says: "For the reasons above, we expect it to be used more as a lateral movement exploit (allowing an attacker to go deeper into the network) than as an initial infection vector (like the way Log4Shell can be used.) Log4Shell received a CVSS of 10, the highest possible, as it is potentially very destructive. Many applications implement this library at different levels, and it's only necessary for the application to log a malicious string to trigger the vulnerability.
"In summary, CVE-2021-42392 is critical, and companies need to rush to update their applications, but Log4Shell represents a much higher danger. In many applications, it can be easily triggered without access to the internal network. As Log4Shell is getting a lot of attention, we expect many other exploits using the same technique to be published, as developers and pentesters review their code. It's very important for any company developing Java-based applications to review the security of their applications, preferably with a pentest team, and to segment their network, isolating all critical servers from the internet exposed services," he adds.
