← back
CVE-2021-4104

Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

CVSS 7.5 HIGHEPSS 81.1%CWE-502
Vexday Risk Score
43Attention
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 81.1%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
14 Dec 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache Log4j 1.x

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/security/cve/CVE-2021-4104https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033https://security.gentoo.org/glsa/202209-02https://security.gentoo.org/glsa/202310-16https://security.gentoo.org/glsa/202312-02https://security.gentoo.org/glsa/202312-04https://security.netapp.com/advisory/ntap-20211223-0007/https://www.cve.org/CVERecord?id=CVE-2021-44228https://www.kb.cert.org/vuls/id/930724https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.html