apache log4j CVE-2021-4104 vulnerability in Apache and Other Products
Published on December 14, 2021

Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

product logo product logo product logo product logo
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2021-4104 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2021-4104

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-4104 are published in these products:

Apache Log4j
 
Fedora Project Fedora
 
Red Hat Codeready Studio
 
Red Hat Integration Camel K
 
Red Hat Integration Camel Quarkus
 
Red Hat Jboss A Mq
 
Red Hat Jboss A Mq Streaming
 
Red Hat Jboss Data Grid
 
Red Hat Jboss Data Virtualization
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jboss Fuse
 
Red Hat Jboss Fuse Service Works
 
Red Hat Jboss Operations Network
 
Red Hat Jboss Web Server
 
Red Hat Openshift Application Runtimes
 
Red Hat Openshift Container Platform
 
Red Hat Process Automation
 
Red Hat Single Sign On
 
Red Hat Software Collections
 
Red Hat Enterprise Linux (RHEL)
 
Oracle Retail Allocation
 
Oracle Utilities Testing Accelerator
 
Oracle Weblogic Server
 
Oracle Business Intelligence
 
Oracle Business Process Management Suite
 
Oracle Jdeveloper
 
Oracle Identity Management Suite
 
Oracle Communications Unified Inventory Management
 
Oracle Enterprise Manager Base Platform
 
Oracle Communications Network Integrity
 
Oracle Advanced Supply Chain Planning
 
Oracle Healthcare Data Repository
 
Oracle Communications Messaging Server
 
Oracle Communications Eagle Ftp Table Base Retrieval
 
Oracle Retail Extract Transform Load
 
Oracle Financial Services Revenue Management Billing Analytics
 
Oracle Hyperion Data Relationship Management
 
Oracle Mysql Enterprise Monitor
 
Oracle Hyperion Infrastructure Technology
 
Oracle Tuxedo
 
Oracle E Business Suite Cloud Manager Cloud Backup Module
 
Oracle Fusion Middleware Common Libraries Tools
 
Oracle Timesten Grid
 
Oracle Communications Offline Mediation Controller
 
Oracle Stream Analytics
 
Oracle Goldengate
 

Affected Versions

Apache Software Foundation Apache Log4j 1.x Version Apache Log4j 1.2 1.2.x is affected by CVE-2021-4104

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-4104

Package Manager Vulnerable Package Versions Fixed In
maven ru.yandex.clickhouse:clickhouse-jdbc-bridge < 2.0.7 2.0.7

Exploit Probability

EPSS
72.20%
Percentile
98.73%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.