CVE-2021-42392: 
H2 Database vulnerability analysis and mitigation

A critical vulnerability (CVE-2021-42392) was discovered in H2 Database Console versions 1.1.100 to 2.0.204 (2008-10-14 to 2021-12-21). The vulnerability allows attackers to pass a JNDI driver name and a URL leading to LDAP or RMI servers, enabling remote code execution. H2 is a popular open-source Java SQL database offering lightweight in-memory solutions, commonly used in web platforms like Spring Boot and IoT platforms (JFrog Blog).

The vulnerability exists in the org.h2.util.JdbcUtils.getConnection method, which takes a driver class name and database URL as parameters. If the driver's class is assignable to javax.naming.Context class, the method instantiates an object and calls its lookup method with unfiltered attacker-controlled URLs before validating credentials. By supplying a driver class such as javax.naming.InitialContext and a malicious URL (e.g., ldap://attacker.com/Exploit), attackers can achieve remote code execution (JFrog Blog, SecPod Blog).

The vulnerability allows unauthenticated remote code execution, potentially leading to disclosure of sensitive information, addition or modification of data, or denial of service. Unlike Log4Shell, this vulnerability has a 'direct' scope of impact, meaning typically only the server processing the initial request (H2 console) will be affected (JFrog Blog, NetApp Advisory).

The primary mitigation is to upgrade to H2 database version 2.0.206 or later, which fixes the vulnerability by limiting JNDI URLs to use only the (local) java protocol. For vendors unable to upgrade, using newer versions of Java (6u211, 7u201, 8u191, 11.0.1 or later) provides some protection through the trustURLCodebase mitigation. Additionally, when deploying the H2 console Servlet on a web server, security constraints can be added to allow only specific users access to the console page (JFrog Blog).

This vulnerability was discovered and reported by JFrog Security's vulnerability research team. It is considered the first JNDI-related unauthenticated RCE vulnerability to be published since Log4Shell, though it is expected to have less widespread impact due to its more limited attack scope (JFrog Blog).