Log4Shell-like safety gap present in well-liked Java SQL database engine H2 – Bare Safety

0
99

[ad_1]

“It’s Log4Shell, Jim,” as Commander Spock by no means really mentioned, “However not as we all know it.”
That’s the briefest abstract we are able to give you of the bug CVE-2021-42392, a safety gap just lately reported by researchers at software program provide chain administration firm Jfrog.
This time, the bug isn’t in Apache’s beleagured Log4j toolkit, however may be present in a preferred Java SQL server referred to as the H2 Database Engine.
H2 isn’t like a standard SQL system comparable to MySQL or Microsoft SQL server.
Though you possibly can run H2 as a standalone server for different apps to attach into, its predominant declare to fame is its modest dimension and self-contained nature.
In consequence, you possibly can bundle the H2 SQL database code proper into your individual Java apps, and run your databases completely in reminiscence, without having for separate server processes.
As with Log4j, after all, which means you could have working situations of the H2 Database Engine code inside your organisation with out realising it, in the event you use any apps or growth elements that themselves quietly embrace it.

JNDI again within the highlight
Just like the Log4Shell vulnerability, this one relies on abuse of the Java Naming and Listing Interface, higher generally known as JNDI, which is an integral a part of each commonplace Java set up.
JNDI is meant to make it simpler to establish and entry helpful assets throughout your community, together with discovering and fetching remotely saved software program elements utilizing well-known search-and-discovery protocols comparable to LDAP (the Light-weight Listing Entry Protocol).
As harmful as this sounds, it’s vital to keep in mind that comparable performance may be coded into any software program (compiled or interpreted, script or binary) that has community entry, can obtain arbitrary knowledge, and is ready to flip that knowledge into executable code of some kind. JNDI merely makes it very a lot simpler to construct distributed apps that discover and cargo distant elements. This form of programmatic comfort typically improves safety, as a result of it’s typically simpler to audit and evaluate code when it follows a well-documented path. However typically it reduces safety, as a result of it makes it simpler to introduce sudden side-effects by mistake. We noticed this in Log4j, the place “write out a textual content string to maintain a file of knowledge submitted by a distant person” may inadvertently flip into “obtain and run an untrusted program specified by a distant person”.
Thankfully, in contrast to Log4Shell, the CVE-2021-42392 bug can’t be triggered just by emebdding booby-trapped textual content into queries that get despatched to the H2 database engine.
Though Jfrog has documented a number of ways in which cybercrimimals may, in concept, trick H2 into working arbitary distant code, the most definitely assault path entails:

An energetic H2 web-based console. This can be a built-in net server that often listens on TCP port 8082, and permits builders to work together with the H2 SQL backend whereas it’s working. If this port is blocked or the console is inactive then this avenue of assault gained’t work.
An H2 console listening on an exterior community interface. By default, the console solely accepts connections from the pc it’s working on (localhost, often IP quantity 127.0.0.1 in an IPv4 community). Except this default is modified, attackers would wish native entry anyway earlier than they might get on the H2 console.

In response to H2, apps that embed the H2 engine immediately into their code “are usually not externally uncovered”, however so far as we are able to see this notice refers solely to the database engine itself when it’s not working as a SQL server, and to not the net console element.
Sadly, Jfrog notes:
We’ve noticed that some third-party instruments counting on the H2 database will run the H2 console uncovered to distant purchasers by default. For instance, the JHipster framework additionally exposes the H2 console, and by default units the webAllowOthers property to true.
(The setting webAllowOthers is the Java property utilized by H2 to resolve whether or not to just accept connections from exterior community interfaces.)
The default net console login web page features a type that permits customers to specify how they need to connect with the database.
A malevolent person may use this way to request a JNDI lookup through LDAP, similar to in a Log4Shell assault, to be able to trick H2 into fetching and working a distant Java .class file (a compiled Java program).
Though a treacherous URL used to launch an assault could be submitted within the the identical login type that requests a username and password, Jfrog found that the JNDI lookup occurs earlier than the username and password are verified.
This implies an attacker doesn’t want working credentials to take advantage of the vulnerability, in order that the bug opens up what’s generally known as an unauthenticated distant code execution (RCE) gap, essentially the most harmful kind.
LEARN HOW JNDI AND LDAP COMBINE FOR REMOTE CODE EXECUTION
For a dwell demonstration of how JNDI may be maliciously mixed with JDAP lookups to obtain and run untrusted distant code, watch this video:

Should you can’t learn the textual content within the video clearly right here, attempt utilizing Full Display mode, or watch immediately on YouTube. Click on on the cog within the video participant to hurry up playback or to activate subtitles.
What to do?

You probably have apps that use the H2 Database Engine, improve H2 to model 2.0.206.

On the time of writing, 2.0.206 (launched 2022-01-04) is listed as the most recent model, though the H2 changelog nonetheless lists 2.0.206 as “unreleased”, and doesn’t doc CVE-2021-42392 as one of many points fastened.
Jfrog, nevertheless, states that 2.0.206 features a comparable code change to the one which Apache used within the Log4j 2.17.0 replace: H2 now not permits JNDI for use with any distant references.
This implies, in concept, that attackers can now not pull off the trick of claiming “do a lookup, however use a community request that takes you to an untrusted exernal location in order that we are able to manipulate the outcomes”.
So far as we are able to see, the up to date H2 Database Engine now solely makes use of JNDI for what are basically native Java perform calls, in order that distant code execution as an sudden side-effect of utilizing JNDI is now not doable, neither accidentally nor design.

To seek out situations of the H2 code in your community, you possibly can seek for information referred to as h2-*.jar.

The wildcard textual content denoted by * needs to be of the shape X.Y.Z, representing the model variety of H2 that’s in use – something beneath 2.0.206 needs to be changed with the most recent model.

[ad_2]