A similar vulnerability like Log4shell discovered in H2 database console

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

An unauthenticated remote code execution vulnerability similar to Log4shell has been discovered in H2 Database (a popular Java SQL database) console and has been assigned CVE-2021-42392. It is claimed to be similar to the log4shell vulnerability since they both share the same root cause i.e they both are based on the Java Naming and Directory Interface (JNDI).

This flaw allows attacker-controlled URLs to be passed unfiltered to the javax.naming.Context.lookup function via numerous code paths in the H2 database system and execute remote code. The H2 database has an embedded web-based console for the database management which runs by default at http://localhost:8082. This console allows an unauthenticated attacker to run remote code execution as it fails to validate the parameters such as ‘User Name’ and ‘Password’ before performing lookup with the malicious URL in ‘JDBC URL’ field.

Organizations using an H2 console which is exposed to LAN or WAN should update H2 database to version 2.0.206 immediately.

Upgrading to version 2.0.206 eliminates this vulnerability. However, organization who cannot upgrade to version 2.0.206 can use either of the mitigations below:

The newer version of Java contains trustURLCodebase that does not allow remote codebases to load via JNDI, so upgrading to the latest version of Java (JRE/JDK) will eliminate this vulnerability. However, this mitigation can be bypassed sending a serialized “gadget” Java object through LDAP.
When the H2 console Servlet is installed on a web server, a security constraint can be introduced to restrict access to the console page to specified users.