CVE-2021-4104
Published on: 12/14/2021 12:00:00 AM UTC
Last Modified on: 10/05/2022 05:53:00 PM UTC
Certain versions of Log4j from Apache contain the following vulnerability:
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
- CVE-2021-4104 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
- Affected Vendor/Software:
Apache Software Foundation - Apache Log4j 1.x version = 1.2.x
CVSS3 Score: 7.5 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | HIGH | LOW | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 6 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | PARTIAL | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Red Hat Customer Portal - Access to 24x7 support and knowledge | access.redhat.com text/html |
![]() |
Security Advisory | psirt.global.sonicwall.com text/html |
![]() |
cve-website | www.cve.org text/html |
![]() |
Oracle Critical Patch Update Advisory - April 2022 | www.oracle.com text/html |
![]() |
Oracle Critical Patch Update Advisory - January 2022 | www.oracle.com text/html |
![]() |
IBM Spectrum Protect: Multiple Vulnerabilities (GLSA 202209-02) — Gentoo security | security.gentoo.org text/html |
![]() |
CVE-2021-4104 Apache Log4j Vulnerability in NetApp Products | NetApp Product Security | security.netapp.com text/html |
![]() |
oss-security - CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x | www.openwall.com text/html |
![]() |
VU#930724 - Apache Log4j allows insecure JNDI lookups | www.kb.cert.org text/html |
![]() |
Oracle Critical Patch Update Advisory - July 2022 | www.oracle.com text/html |
![]() |
Restrict LDAP access via JNDI by rgoers · Pull Request #608 · apache/logging-log4j2 · GitHub | github.com text/html |
![]() |
Related QID Numbers
- 159573 Oracle Enterprise Linux Security Update for log4j (ELSA-2021-5206)
- 159603 Oracle Enterprise Linux Security Update for parfait:0.5 (ELSA-2022-0290)
- 159619 Oracle Enterprise Linux Security Update for log4j (ELSA-2022-9056)
- 179047 Debian Security Update for apache-log4j1.2 (DLA 2905-1)
- 179633 Debian Security Update for apache-log4j1.2 (CVE-2021-4104)
- 198633 Ubuntu Security Notification for Apache Log4j 1.2 Vulnerability (USN-5223-1)
- 20251 IBM DB2 Security Update for Log4j (6528678)
- 239973 Red Hat Update for log4j (RHSA-2021:5206)
- 239980 Red Hat Update for rh-maven36-log4j12 (RHSA-2021:5269)
- 240034 Red Hat Update for parfait:0.5 (RHSA-2022:0289)
- 240035 Red Hat Update for parfait:0.5 (RHSA-2022:0290)
- 240036 Red Hat Update for parfait:0.5 (RHSA-2022:0291)
- 240059 Red Hat Update for JBoss Enterprise Application Platform 7.4 (RHSA-2022:0436)
- 240060 Red Hat Update for JBoss Enterprise Application Platform 6.4 (RHSA-2022:0438)
- 240078 Red Hat Update for red hat jboss web server 3.1 service pack 14 (RHSA-2022:0524)
- 240209 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1296)
- 240210 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1297)
- 240452 Red Hat Update for parfait:0.5 (RHSA-2022:0294)
- 240508 Red Hat Update for JBoss Enterprise Application Platform 6.4.2 (RHSA-2022:5459)
- 240511 Red Hat Update for JBoss Enterprise Application Platform 6.4.2 (RHSA-2022:5460)
- 257136 CentOS Security Update for log4j (CESA-2021:5206)
- 353112 Amazon Linux Security Advisory for log4j : ALAS-2022-1562
- 353124 Amazon Linux Security Advisory for log4j : ALAS2-2022-1739
- 376187 Apache Log4j 1.2 Remote Code Execution Vulnerability
- 376415 IBM WebSphere Application Server Multiple Vulnerabilities (Log4Shell) (6526750)
- 376425 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (Log4Shell) (Doc_ID_2817011.1)
- 377147 Alibaba Cloud Linux Security Update for parfait:0.5 (ALINUX3-SA-2022:0006)
- 377225 Alibaba Cloud Linux Security Update for log4j (ALINUX2-SA-2021:0072)
- 671353 EulerOS Security Update for log4j (EulerOS-SA-2022-1276)
- 710616 Gentoo Linux IBM Spectrum Protect Multiple Vulnerabilities (GLSA 202209-02)
- 730566 Atlassian Jira Server and Data Center Log4j Vulnerability (JRASERVER-73885)
- 751522 SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2021:4111-1)
- 751523 SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2021:4115-1)
- 751524 OpenSUSE Security Update for log4j12 (openSUSE-SU-2021:4112-1)
- 751525 OpenSUSE Security Update for log4j (openSUSE-SU-2021:4111-1)
- 751556 OpenSUSE Security Update for log4j12 (openSUSE-SU-2021:1612-1)
- 87483 Oracle WebLogic Server Multiple Vulnerabilities (Log4Shell) (Doc_ID_2817011.1)
- 940440 AlmaLinux Security Update for parfait:0.5 (ALSA-2022:0290)
- 960689 Rocky Linux Security Update for parfait:0.5 (RLSA-2022:0290)
Exploit/POC from Github
Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-20…
Known Affected Configurations (CPE V2.3)
- cpe:2.3:a:apache:log4j:1.2:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*:
- cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*:
- cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*:
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:goldengate:-:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:stream_analytics:-:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:timesten_grid:-:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_a-mq_streaming:-:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*:
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
@WildFlyAS new day - another cve - what about the CVE-2021-4104 - RedHats JBoss EAP 7 is affected | 2021-12-13 08:57:08 |
![]() |
@WildFlyAS please also see access.redhat.com/security/cve/C… for the log4J 1.x Versions - if your application server is confi… twitter.com/i/web/status/1… | 2021-12-13 10:18:02 |
![]() |
? CVE-2021-4104 Log4j 1.x vulnerability in JMS appender (requires privileged access to configuration)… twitter.com/i/web/status/1… | 2021-12-13 11:07:13 |
![]() |
The vuln CVE-2021-4104 has a tweet created 0 days ago and retweeted 12 times. twitter.com/yazicivo/statu… #pow1rtrtwwcve | 2021-12-13 18:06:02 |
![]() |
Re: CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2: Posted by Moritz Bechler o… twitter.com/i/web/status/1… | 2021-12-13 21:53:33 |
![]() |
CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2: Posted by Ralph Goers on Dec 1… twitter.com/i/web/status/1… | 2021-12-13 21:53:34 |
![]() |
CVE-2021-4104 | Log4j The class which is the cause of this issue is not included in the distribution of Warp 10. Of… twitter.com/i/web/status/1… | 2021-12-14 08:43:49 |
![]() |
CVE-2021-4104 is just what I don't need right now #log4j | 2021-12-14 10:37:57 |
![]() |
RedHat's bulletin: access.redhat.com/security/cve/C… #log4j twitter.com/philrandal/sta… | 2021-12-14 10:38:58 |
![]() |
Sources : access.redhat.com/security/cve/C… access.redhat.com/security/cve/C… Et confirmations : bugzilla.redhat.com/show_bug.cgi?i…… twitter.com/i/web/status/1… | 2021-12-14 11:55:44 |
![]() |
CVE-2021-4104 | 2021-12-14 11:38:37 |
![]() |
Cve-2021-4104 vs Cve-2021-44228 | 2021-12-19 02:47:52 |
![]() |
CVE-2021-4104 - No word from Cisco on this one | 2021-12-20 19:53:37 |
![]() |
FedEx Ship Manager still has Log4j vulnerability after update. | 2022-01-11 00:14:00 |
![]() |
What Is Log4Shell? The Log4j Vulnerability Explained in 2022 | 2022-01-25 05:25:17 |
![]() |
How after this long????????? Due to use of Apache Log4j, IBM QRadar SIEM is affected by arbitrary code execution | 2022-10-27 14:25:03 |