Technology

Log4j-like vulnerability discovered in Java code

Last month, a serious vulnerability in the Java software Log4j made headlines. A similar loophole has now appeared in the code of the H2 database. In the meantime, an update that completely eliminates the vulnerability has been made available.

The vulnerability has been named CVE-2021-42392 and is caused by the Java Naming and Directory Interface (JNDI). It is the same mechanism that also did the logging library Log4j to fate. Attackers can send URLs to the interface to load malicious code. The code is then executed so that a server system can be completely taken over.

The vulnerability only affects the web console

The H2 software comes with an embedded web console that enables database management. With the help of the console, hackers have the option of sending a manipulated request to the database server and launching malware. However, the impact of the vulnerability is likely to be limited. While Log4j was used as a background service in many programs, the new vulnerability affects Threat post according to only the console of the H2 database.

Anyone using an H2 database system and the corresponding console should update the software as soon as possible. The developers have now released a patch that closes the gap. H2 versions 1.1.100 to 2.0.204 are affected by the vulnerability. The bug was fixed with build 2.0.206. The latest version prevents LDAP URLs from being used for JNDI queries, thus closing the security gap.