![]() ![]() The com.h2database:h2 package is part of the top 50 most popular packages in the open Maven Repository, with almost 7,000 artifact dependencies, says JFrog. This, they say, makes it a popular data storage solution for various projects, from web platforms like Spring Boot to IoT platforms like ThingWorks. JFrog describes H2 as a very popular open-source Java SQL database offering a lightweight in-memory solution that doesn’t require data to be stored on disk. “This is due to the fact that other attack vectors exist, and their exploitability may be difficult to ascertain.” #H2 database upgrade#“We recommend all users of the H2 database to upgrade to version 2.0.206, even if you are not directly using the H2 console,” the researchers say. Although there are other vectors to exploit this issue other than the console, these other vectors are context-dependent and less likely to be exposed to remote attackers. –many vendors may run the H2 database but not the H2 console. However, researchers add, the H2 console can easily be changed to listen to remote connections as well. This is unlike Log4Shell which was exploitable in the default configuration of Log4j. ![]() –on vanilla distributions of the H2 database, by default the H2 console only listens to localhost connections – making the default setting safe. This is less severe compared to Log4Shell since the vulnerable servers should be easier to find This means that typically the server that processes the initial request (the H2 console) will be the server that gets impacted with RCE. –unlike Log4Shell, this vulnerability has a “direct” scope of impact. The researchers add that the vulnerability in H2 shouldn’t be as widespread as Log4Shell because ![]() These tools could be at risk of spreading malware through supply chain attacks, the researchers warn, another reason why their databases should be updated. The alert also notes some application developer tools use H2 databases that expose the H2 console. Implementations that expose an H2 console to a local or wide area network are at great risk. #H2 database update#The alert recommends that users immediately update to the latest version of H2, version 2.0.206. In this case it’s to the H2 database console. Researchers at JFrog said this week the vulnerability – CVE-2021-42392 - has the same root cause as the Log4Shell vulnerability in Apache Log4j2: a flaw in the Java Naming and Directory Interface (JDNI) that could allow unauthenticated remote control access. IT administrators with the open-source Java-based H2 SQL database in their environments are being urged to update to the latest version after the discovery of an “extremely critical” vulnerability in its console. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |