CVE-2021-4104

7.5 HIGH
Published: December 14, 2021 Modified: May 28, 2026
View on NVD

Description

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://www.kb.cert.org/vuls/id/930724
Source: security@apache.org
http://www.openwall.com/lists/oss-security/2022/01/18/3
Source: af854a3a-2127-422b-91ae-364da2661108
https://access.redhat.com/security/cve/CVE-2021-4104
Source: af854a3a-2127-422b-91ae-364da2661108
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
Source: af854a3a-2127-422b-91ae-364da2661108
https://security.gentoo.org/glsa/202209-02
Source: af854a3a-2127-422b-91ae-364da2661108
https://security.gentoo.org/glsa/202310-16
Source: af854a3a-2127-422b-91ae-364da2661108
https://security.gentoo.org/glsa/202312-02
Source: af854a3a-2127-422b-91ae-364da2661108
https://security.gentoo.org/glsa/202312-04
Source: af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20211223-0007/
Source: af854a3a-2127-422b-91ae-364da2661108
https://www.cve.org/CVERecord?id=CVE-2021-44228
Source: af854a3a-2127-422b-91ae-364da2661108
https://www.kb.cert.org/vuls/id/930724
Source: af854a3a-2127-422b-91ae-364da2661108
https://www.oracle.com/security-alerts/cpuapr2022.html
Source: af854a3a-2127-422b-91ae-364da2661108
https://www.oracle.com/security-alerts/cpujan2022.html
Source: af854a3a-2127-422b-91ae-364da2661108
https://www.oracle.com/security-alerts/cpujul2022.html
Source: af854a3a-2127-422b-91ae-364da2661108

28 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
81.1%
100th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

Affected Vendors

apache fedoraproject redhat oracle