One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 3938226 |
| Date de publication | 2022-01-07 18:18:27 (vue: 2022-01-08 03:05:21) |
| Titre | Remote Code Execution in H2 Console JNDI - (CVE-2021-42392) |
| Texte | FortiGuard Labs is aware of newly discovered vulnerability in H2 Database software. The vulnerability is an unauthenticated remote code execution in the H2 database console and similar to Log4j, it is JNDI-based and has an exploit vector similar to it. This vulnerability has been assigned CVE-2021-42392 and was found by security researchers at JFrog. What is H2 Database?H2 is a relational database management system written in Java and is open source. It can be embedded in Java applications or run in client-server mode and data does not need to be stored on disk. What are the Technical Details?In a nutshell, the vector is similar to Log4Shell, where several code paths in the H2 database framework pass unfiltered attacker controlled URLs to the javax.naming.Context.lookup function, which allows for remote codebase loading (remote code execution). The H2 database contains a web based console which listens for connections at http://localhost:8082. The console will contain parameters that are passed by JdbcUtils.getConnection and a malicious URL controlled by the attacker.This vulnerability affects systems with H2 console installed. The vulnerability does not affect machines with H2 database installed in standalone mode. The vulnerability (by default) looks for connections from localhost, or a non remote connection. However, this vulnerability can be modified to listen for remote connections, therefore allowing susceptibility to remote code execution attacks. How Severe is This? Is it Similar to Log4j?According to the report, this is not believed to be as severe as Log4j, because of several factors. The first factor requires H2 console to be present on the system as both the console and database are able to operate independently of each other. Second, the default configuration of accepting connections from localhost must be edited to listen for external connections, which means that default installations are safe to begin with. What is the CVSS score?At this time, details are not available. What Mitigation Steps are Available?FortiGuard Labs recommends that users of H2 database software upgrade to version 2.0.206 immediately. If this is not possible, placing a vulnerable instance behind a firewall or removing access from the public facing internet is suggested. For further details on mitigation, please refer to the JFrog blog "The JNDI Strikes Back - Unauthenticated RCE in H2 Database Console" located in the APPENDIX. What is the Status of Coverage?FortiGuard Labs is currently assessing an IPS signature to address CVE-2021-42392. This Threat Signal will be updated once a relevant update is available. |
| Envoyé | Oui |
| Condensat | 2021 206 42392 able accepting access according address affect affects allowing allows appendix applications are assessing assigned attacker attacks available aware back based because been begin behind believed blog both can client code codebase configuration connection connections console contain contains context controlled coverage currently cve cvss data database default details discovered disk does each edited embedded execution exploit external facing factor factors firewall first fortiguard found framework from function further getconnection has how however http://localhost:8082 immediately independently installations installed instance internet ips java javax jdbcutils jfrog jndi labs listen listens loading localhost located log4j log4shell looks lookup machines malicious management means mitigation mode modified must naming need newly non not nutshell once open operate other parameters pass passed paths placing please possible present public rce recommends refer relational relevant remote removing report requires researchers run safe score second security server several severe signal signature similar software source standalone status steps stored strikes suggested susceptibility system systems technical therefore threat time unauthenticated unfiltered update updated upgrade url urls users vector version vulnerability vulnerable web what where which will written |
| Tags | Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.