Vulnerability Details : CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2021-4104
Probability of exploitation activity in the next 30 days: 89.22%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 98 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-4104
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
[email protected] |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
[email protected] |
CWE ids for CVE-2021-4104
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by:
- [email protected] (Primary)
- [email protected] (Secondary)
References for CVE-2021-4104
-
https://www.kb.cert.org/vuls/id/930724
Mitigation;Patch;Third Party Advisory;US Government Resource
-
http://www.openwall.com/lists/oss-security/2022/01/18/3
Mailing List
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20211223-0007/
Third Party Advisory
-
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
Issue Tracking;Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Patch;Third Party Advisory
-
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
Third Party Advisory
-
https://access.redhat.com/security/cve/CVE-2021-4104
Mitigation;Third Party Advisory
-
https://www.cve.org/CVERecord?id=CVE-2021-44228
Not Applicable;Third Party Advisory
-
https://security.gentoo.org/glsa/202209-02
Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Third Party Advisory
Products affected by CVE-2021-4104
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_a-mq_streaming:-:*:*:*:*:*:*:*
- cpe:2.3:a:apache:log4j:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:goldengate:-:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:timesten_grid:-:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:stream_analytics:-:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*