H2 Java SQL database vulnerability: What steps to take

H2

Researchers have discovered a vulnerability similar to Log4j, specifically a JNDI-based vulnerability in the H2 database console. CSO reported that “the issue carries a critical risk of unauthenticated remote code execution (RCE) for certain organizations who should update their H2 databases immediately.”

The .jar file in question is used in some eFORMz implementations. There are several ways to mitigate this vulnerability:

  • Do not open unnecessary TCP ports to the internet.
  • Remove the H2 jar file if present and not used.
  • Update to the latest h2 (http://www.h2database.com/html/download.html) 2.0.206
  • Ensure your settings do not start unused features.

Please contact Minisoft Support (support@minisoft.com) to schedule a checkup.

Log4j

Regarding Log4j, eFORMz does not deliver the components used in the exploit. To satisfy the call requirements for logging, eFORMz uses slf4j (Simple Logging Façade for Java) and that points to no-op (slf4j-nop) rather than log4j.

The shipped version of slf4j should be 1.7.25 (https://www.cvedetails.com/version/267529/Slf4j-Slf4j-1.7.25.html)

First Steps

  • To ensure our product is safe on your system, please verify that none of the offending files “log4j-core-*.jar”  have been installed.
  • The CVE noted option of disabling msg lookups will not adversely affect eFORMz. Add -Dlog4j2.formatMsgNoLookups=true to the startup. Call for assistance. This should not have any affect on eFORMz as there is no current use for logging through this facility.

Next Steps

  • If you do not use the web services built into eFORMz, ensure they are disabled.
  • If you do use the web services, ensure your firewall rules are valid and that the authentication used is appropriate.