Update 1/11 - "What is the Status of Coverage" section updated
FortiGuard Labs is aware of newly discovered vulnerability in H2 Database software. The vulnerability is an unauthenticated remote code execution in the H2 database console and similar to Log4j, it is JNDI-based and has an exploit vector similar to it. This vulnerability has been assigned CVE-2021-42392 and was found by security researchers at JFrog.
What is H2 Database?
H2 is a relational database management system written in Java and is open source. It can be embedded in Java applications or run in client-server mode and data does not need to be stored on disk.
What are the Technical Details?
In a nutshell, the vector is similar to Log4Shell, where several code paths in the H2 database framework pass unfiltered attacker controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (remote code execution). The H2 database contains a web based console which listens for connections at http://localhost:8082. The console will contain parameters that are passed by JdbcUtils.getConnection and a malicious URL controlled by the attacker.
This vulnerability affects systems with H2 console installed. The vulnerability does not affect machines with H2 database installed in standalone mode. The vulnerability (by default) looks for connections from localhost, or a non remote connection. However, this vulnerability can be modified to listen for remote connections, therefore allowing susceptibility to remote code execution attacks.
How Severe is This? Is it Similar to Log4j?
According to the report, this is not believed to be as severe as Log4j, because of several factors. The first factor requires H2 console to be present on the system as both the console and database are able to operate independently of each other. Second, the default configuration of accepting connections from localhost must be edited to listen for external connections, which means that default installations are safe to begin with.
What is the CVSS score?
At this time, details are not available.
What Mitigation Steps are Available?
FortiGuard Labs recommends that users of H2 database software upgrade to version 2.0.206 immediately. If this is not possible, placing a vulnerable instance behind a firewall or removing access from the public facing internet is suggested. For further details on mitigation, please refer to the JFrog blog "The JNDI Strikes Back - Unauthenticated RCE in H2 Database Console" located in the APPENDIX.
What is the Status of Coverage?
Customers running the latest IPS definitions (19.237) are protected against exploitation of CVE-2021-42392 with the following signature: