CVE-2021-4104

high-risk

Published 2021-12-14

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Do I need to act?

69.3% chance of exploitation in next 30 days

EPSS score — higher than 31% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / HIGH complexity

Affected Products (20)

Log4J

Fedora

Codeready Studio

Integration Camel K

Integration Camel Quarkus

Jboss A-Mq

Jboss A-Mq Streaming

Jboss Data Grid

Jboss Data Virtualization

Jboss Enterprise Application Platform

Jboss Fuse

Jboss Fuse Service Works

Jboss Operations Network

Jboss Web Server

Openshift Application Runtimes

Openshift Container Platform

Affected Vendors

Redhat Apache Oracle Fedoraproject

References (28)

http://www.openwall.com/lists/oss-security/2022/01/18/3

https://access.redhat.com/security/cve/CVE-2021-4104

https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033

https://security.gentoo.org/glsa/202209-02

https://security.gentoo.org/glsa/202310-16

https://security.gentoo.org/glsa/202312-02

https://security.gentoo.org/glsa/202312-04

https://security.netapp.com/advisory/ntap-20211223-0007/

https://www.cve.org/CVERecord?id=CVE-2021-44228

https://www.kb.cert.org/vuls/id/930724

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

http://www.openwall.com/lists/oss-security/2022/01/18/3

https://access.redhat.com/security/cve/CVE-2021-4104

https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033

https://security.gentoo.org/glsa/202209-02

https://security.gentoo.org/glsa/202310-16

and 8 more references

/ 100

high-risk

Severity 22/34 · High

Exploitability 19/34 · Moderate

Exposure 28/34 · Critical