QID 376187

Date Published: 2021-12-16

QID 376187: Apache Log4j 1.2 Remote Code Execution Vulnerability

Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation.

The JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.
The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228.

Affected versions:
Log4j version 1.2

QID Detection: (Authenticated) - Linux
This detection is based on querying the OS package managers on the target. If the target has a log4j package with a version in 1.2, the target is flagged as potentially vulnerable.
QID Detection: (Authenticated) - Windows
On Windows system, the QID identifies vulnerable instance of log4j via WMI to check log4j included in the running processes via command-line.

Successful exploitation of this vulnerability could lead to remote code execution (RCE) on the target.

  • CVSS V3 rated as Critical - 8.1 severity.
  • CVSS V2 rated as High - 6.8 severity.
    • Solution
    Customers are advised to upgrade their Log4j to the version in 2.16. If updating the version is not possible, please refer to the mitigations mentioned here Log4j.
    Workaround:
    Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.2 configurations without JMSAppender are not impacted by this vulnerability.
    Log4j 1.x does not have Lookups, so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration.
    Vendor References

    CVEs related to QID 376187

    CVE-2021-4104 |
    Software Advisories
    Advisory ID Software Component Link
    Log4j 1.2 URL Logo logging.apache.org/log4j/2.x/security.html#
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].