May 28, 2023

Researchers have disclosed aflaw affecting H2 database consoles that could lead to remote code execution in a manner that echoes the Log4Shell vulnerability.

The issue, tracked as CVE-2021-42392, is the first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading.


H2 is an open-source relational database management system written in Java that can be embedded within applications or run in a client-server mode. The H2 database engine is used by 6,807 artifacts.

This feature enables runtime lookups to servers, both inside and outside the network, which, in turn, can be weaponized to allow unauthenticated remote code execution and implant malware on the server by crafting a malicious JNDI lookup as input to any Java application that uses vulnerable versions of the Log4j library to log it.

The flaw affects H2 database versions 1.1.100 to 2.0.204 and has been addressed in version 2.0.206 shipped on January 5, 2022.


The H2 database is used by many third-party frameworks, including Spring Boot, Play Framework and JHipster,While this vulnerability is not as widespread as Log4Shell, it can still have a dramatic impact on developers and production systems if not addressed in time.

Leave a Reply

%d bloggers like this: