CVE-2021-4104

CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Published Dec 14, 2021

PR #608 Red Hat · Bugzilla #2031667

CVSS ScoreHigh

7.5

Vulnerabilities

CVE-2021-4104

Published Dec 14, 2021

PR #608 Red Hat · Bugzilla #2031667

CVSS ScoreHigh

7.5

CVE-2021-4104 Security Details

CVE ID: CVE-2021-4104
CWE: CWE-502
CVE Description: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Published: Dec 14, 2021
CVSS Score & Severity: 7.5High
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 72.202%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/apache/log4j/net/JMSAppender.activateOptions()V
JVM
org/apache/log4j/net/JMSAppender.lookup(Ljavax/naming/Context;Ljava/lang/String;)Ljava/lang/Object;
JVMVulnerable params: 0, 1
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · PR #608PROJECT
Red Hat · Bugzilla #2031667THIRD_PARTY

CVE-2021-4104 Security Details

CVE ID: CVE-2021-4104
CWE: CWE-502
CVE Description: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Published: Dec 14, 2021
CVSS Score & Severity: 7.5High
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 72.202%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/apache/log4j/net/JMSAppender.activateOptions()V
JVM
org/apache/log4j/net/JMSAppender.lookup(Ljavax/naming/Context;Ljava/lang/String;)Ljava/lang/Object;
JVMVulnerable params: 0, 1
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · PR #608PROJECT
Red Hat · Bugzilla #2031667THIRD_PARTY

Find vulnerabilities. Fix fast with AI.

CVE-2021-4104

CVE-2021-4104 Security Details

CVE-2021-4104 Security Details