Vulnerability Details : CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Vulnerability category: Execute code
Published 2021-12-14 12:15:12
Updated 2022-10-05 17:53:48
Source Red Hat, Inc.
View at NVD,

Exploit prediction scoring system (EPSS) score for CVE-2021-4104

Probability of exploitation activity in the next 30 days: 89.22%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 98 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-4104

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Source
[email protected]
[email protected]

CWE ids for CVE-2021-4104

References for CVE-2021-4104

Products affected by CVE-2021-4104

This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy.
By using this web site you are agreeing to terms of use!