RCE vulnerability – similar to log4j – discovered in H2 (Java) database system

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researchers have discovered a remote code execution (RCE) vulnerability in the H2 database console that is reminiscent of the recently discovered JAVA vulnerability log4j. Meanwhile, the developers of the H2 database console have released a security update that closes this vulnerability.


H2 is an open-source relational database management system written in Java that can be embedded in applications or run in a client-server mode. H2 provides a lightweight in-memory solution that does not require data to be stored on disk.

This makes H2 a popular data storage solution for various projects, from web platforms like Spring Boot to IoT platforms like ThingWorks. The com.h2database:h2 package is part of the top 50 most popular Maven packages with nearly 7000 artifact dependencies.

The CVE-2021-42392 vulnerability

A user pointed out The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console found by JFrog security researchers Andrey Polkovnychenko and Shachar Menashe. The vulnerability affects JNDI, an acronym for Java Naming and Directory Interface. It is a reference to an API that provides naming and directory functions for Java applications, which can use the API in conjunction with LDAP to find a specific resource they might need.

This is basically the same mechanism that doomed log4j. The H2 database includes an embedded web-based console that allows for easy management of the database. It is available by default at http://localhost:8082 when you run the H2 package JAR package. Menashe, senior director of JFrog security research, explains:

Similar to the Log4Shell vulnerability uncovered in early December, attacker-controlled URLs that propagate into JNDI lookups can allow unauthenticated remote code execution, giving attackers sole control over the operation of another person or organization's systems.

Thus, attackers can attack the H2 database through its console by sending it URLs to load code through the JNDI lookup interface. The bug affects H2 database versions 1.1.100 through 2.0.204 and was fixed in version 2.0.206, dated January 5, 2022. Since version 2.0.206, H2 Console and linked tables explicitly prohibit the specification of LDAP URLs for JNDI. Only local data sources can be used.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *