CVE-2021-4104

Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

JMSAppender en Log4j versión 1.2 es vulnerable a una deserialización de datos no confiables cuando el atacante presenta acceso de escritura a la configuración de Log4j. El atacante puede proporcionar configuraciones TopicBindingName y TopicConnectionFactoryBindingName haciendo que JMSAppender realice peticiones JNDI que resulten en la ejecución de código remota de forma similar a CVE-2021-44228. Tenga en cuenta que este problema sólo afecta a Log4j versión 1.2 cuando es configurado específicamente para usar JMSAppender, que no es el predeterminado. Apache Log4j versión 1.2 llegó al final de su vida útil en agosto de 2015. Los usuarios deberían actualizar a Log4j 2 ya que aborda otros numerosos problemas de las versiones anteriores

A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JNDI LDAP endpoint.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-12-13 CVE Reserved
2021-12-14 CVE Published
2024-07-20 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-502: Deserialization of Untrusted Data

CAPEC

References (15)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/01/18/3	Mailing List
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
https://security.netapp.com/advisory/ntap-20211223-0007
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://www.kb.cert.org/vuls/id/930724	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-4104	2023-12-22
https://security.gentoo.org/glsa/202209-02	2023-12-22
https://security.gentoo.org/glsa/202310-16	2023-12-22
https://security.gentoo.org/glsa/202312-02	2023-12-22
https://security.gentoo.org/glsa/202312-04	2023-12-22
https://bugzilla.redhat.com/show_bug.cgi?id=2031667	2024-08-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				1.2 Search vendor "Apache" for product "Log4j" and version "1.2"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Redhat Search vendor "Redhat"		Codeready Studio Search vendor "Redhat" for product "Codeready Studio"				12.0 Search vendor "Redhat" for product "Codeready Studio" and version "12.0"		-		Affected
Redhat Search vendor "Redhat"		Integration Camel K Search vendor "Redhat" for product "Integration Camel K"				-		-		Affected
Redhat Search vendor "Redhat"		Integration Camel Quarkus Search vendor "Redhat" for product "Integration Camel Quarkus"				-		-		Affected
Redhat Search vendor "Redhat"		Jboss A-mq Search vendor "Redhat" for product "Jboss A-mq"				6.0.0 Search vendor "Redhat" for product "Jboss A-mq" and version "6.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss A-mq Search vendor "Redhat" for product "Jboss A-mq"				7 Search vendor "Redhat" for product "Jboss A-mq" and version "7"		-		Affected
Redhat Search vendor "Redhat"		Jboss A-mq Streaming Search vendor "Redhat" for product "Jboss A-mq Streaming"				-		-		Affected
Redhat Search vendor "Redhat"		Jboss Data Grid Search vendor "Redhat" for product "Jboss Data Grid"				7.0.0 Search vendor "Redhat" for product "Jboss Data Grid" and version "7.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Data Virtualization Search vendor "Redhat" for product "Jboss Data Virtualization"				6.0.0 Search vendor "Redhat" for product "Jboss Data Virtualization" and version "6.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				7.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse"				6.0.0 Search vendor "Redhat" for product "Jboss Fuse" and version "6.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse"				7.0.0 Search vendor "Redhat" for product "Jboss Fuse" and version "7.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Fuse Service Works Search vendor "Redhat" for product "Jboss Fuse Service Works"				6.0 Search vendor "Redhat" for product "Jboss Fuse Service Works" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Operations Network Search vendor "Redhat" for product "Jboss Operations Network"				3.0 Search vendor "Redhat" for product "Jboss Operations Network" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Web Server Search vendor "Redhat" for product "Jboss Web Server"				3.0 Search vendor "Redhat" for product "Jboss Web Server" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Application Runtimes Search vendor "Redhat" for product "Openshift Application Runtimes"				-		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				4.6 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.6"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				4.7 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.7"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				4.8 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.8"		-		Affected
Redhat Search vendor "Redhat"		Process Automation Search vendor "Redhat" for product "Process Automation"				7.0 Search vendor "Redhat" for product "Process Automation" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Single Sign-on Search vendor "Redhat" for product "Single Sign-on"				7.0 Search vendor "Redhat" for product "Single Sign-on" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Software Collections Search vendor "Redhat" for product "Software Collections"				-		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Oracle Search vendor "Oracle"		Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning"				12.1 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.1"		-		Affected
Oracle Search vendor "Oracle"		Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning"				12.2 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.2"		-		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				5.9.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.3.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.4.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite"				12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite"				12.2.1.4.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Eagle Ftp Table Base Retrieval Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval"				4.5 Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" and version "4.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server"				8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity"				7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				< 12.0.0.4.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				12.0.0.5.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.3.4 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.3.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.3.5 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.3.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.2 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2"		-		Affected
Oracle Search vendor "Oracle"		E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module"				2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version "2.2.1.1.1"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform"				13.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform"				13.5.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.5.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"				2.7.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"				2.7.0.1 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"				2.8.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Fusion Middleware Common Libraries And Tools Search vendor "Oracle" for product "Fusion Middleware Common Libraries And Tools"				12.2.1.4.0 Search vendor "Oracle" for product "Fusion Middleware Common Libraries And Tools" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Goldengate Search vendor "Oracle" for product "Goldengate"				-		-		Affected
Oracle Search vendor "Oracle"		Healthcare Data Repository Search vendor "Oracle" for product "Healthcare Data Repository"				8.1.0 Search vendor "Oracle" for product "Healthcare Data Repository" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Hyperion Data Relationship Management Search vendor "Oracle" for product "Hyperion Data Relationship Management"				< 11.2.8.0 Search vendor "Oracle" for product "Hyperion Data Relationship Management" and version " < 11.2.8.0"		-		Affected
Oracle Search vendor "Oracle"		Hyperion Infrastructure Technology Search vendor "Oracle" for product "Hyperion Infrastructure Technology"				< 11.2.8.0 Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version " < 11.2.8.0"		-		Affected
Oracle Search vendor "Oracle"		Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite"				12.2.1.3.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite"				12.2.1.4.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Jdeveloper Search vendor "Oracle" for product "Jdeveloper"				12.2.1.3.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor"				<= 8.0.29 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29"		-		Affected
Oracle Search vendor "Oracle"		Retail Allocation Search vendor "Oracle" for product "Retail Allocation"				14.1.3.2 Search vendor "Oracle" for product "Retail Allocation" and version "14.1.3.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Allocation Search vendor "Oracle" for product "Retail Allocation"				15.0.3.1 Search vendor "Oracle" for product "Retail Allocation" and version "15.0.3.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Allocation Search vendor "Oracle" for product "Retail Allocation"				16.0.3 Search vendor "Oracle" for product "Retail Allocation" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Allocation Search vendor "Oracle" for product "Retail Allocation"				19.0.1 Search vendor "Oracle" for product "Retail Allocation" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Extract Transform And Load Search vendor "Oracle" for product "Retail Extract Transform And Load"				13.2.5 Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.5"		-		Affected
Oracle Search vendor "Oracle"		Stream Analytics Search vendor "Oracle" for product "Stream Analytics"				-		-		Affected
Oracle Search vendor "Oracle"		Timesten Grid Search vendor "Oracle" for product "Timesten Grid"				-		-		Affected
Oracle Search vendor "Oracle"		Tuxedo Search vendor "Oracle" for product "Tuxedo"				12.2.2.0.0 Search vendor "Oracle" for product "Tuxedo" and version "12.2.2.0.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.1.1 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.1.1"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.2.2 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.2.2"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.3.1 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.3.1"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"		-		Affected