Log4J-Related RCE Flaw in H2 Database Earns Critical Rating
Researchers have detected a critical vulnerability in the H2 open-source Java SQL database that bears similarities to the Log4J vulnerability. However, this flaw does not pose a widespread threat. Researchers stated that the flaw opens the door for an adversary to execute remote code on vulnerable systems. H2 is attractive to developers as it provides an in-memory-solution that precludes the requirement for data to be stored on disk. The tool is often used in web platforms. This vulnerability and the Log4J exploits are similar in that the root cause of the H2 flaw is based in JNDI remote class loading.
In addition, the H2 flaw allows for several code paths in the H2 database framework pass unfiltered attacker-controlled URLs. This allows for remote codebase loading, which is also referred to as Java code injection or remote code execution. Therefore, although the pair have similarities in the exploit process and root cause, H2 is less severe and widespread. Unlike Log4Shell, H2 has a direct scope of impact. This means that the server processing the initial request will feel the direct impact of the remote code execution bug, according to researchers. Therefore, vulnerable servers will be easier to locate.