CVE-2021-4104 vulnerability in Apache and Other Products
Published on December 14, 2021

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Vulnerability Analysis

CVE-2021-4104 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.6 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Products Associated with CVE-2021-4104

You can be notified by stack.watch whenever vulnerabilities like CVE-2021-4104 are published in these products:

Apache Log4j

  Watch

 

Fedora Project Fedora

  Watch

 

Red Hat Codeready Studio

  Watch

 

Red Hat Integration Camel K

  Watch

 

Red Hat Integration Camel Quarkus

  Watch

 

Red Hat Jboss A Mq

  Watch

 

Red Hat Jboss A Mq Streaming

  Watch

 

Red Hat Jboss Data Grid

  Watch

 

Red Hat Jboss Data Virtualization

  Watch

 

Red Hat Jboss Enterprise Application Platform

  Watch

 

Red Hat Jboss Fuse

  Watch

 

Red Hat Jboss Fuse Service Works

  Watch

 

Red Hat Jboss Operations Network

  Watch

 

Red Hat Jboss Web Server

  Watch

 

Red Hat Openshift Application Runtimes

  Watch

 

Red Hat Openshift Container Platform

  Watch

 

Red Hat Process Automation

  Watch

 

Red Hat Single Sign On

  Watch

 

Red Hat Software Collections

  Watch

 

Red Hat Enterprise Linux (RHEL)

  Watch

 

Oracle Retail Allocation

  Watch

 

Oracle Utilities Testing Accelerator

  Watch

 

Oracle Weblogic Server

  Watch

 

Oracle Business Intelligence

  Watch

 

Oracle Business Process Management Suite

  Watch

 

Oracle Jdeveloper

  Watch

 

Oracle Identity Management Suite

  Watch

 

Oracle Communications Unified Inventory Management

  Watch

 

Oracle Enterprise Manager Base Platform

  Watch

 

Oracle Communications Network Integrity

  Watch

 

Oracle Advanced Supply Chain Planning

  Watch

 

Oracle Healthcare Data Repository

  Watch

 

Oracle Communications Messaging Server

  Watch

 

Oracle Communications Eagle Ftp Table Base Retrieval

  Watch

 

Oracle Retail Extract Transform Load

  Watch

 

Oracle Financial Services Revenue Management Billing Analytics

  Watch

 

Oracle Hyperion Data Relationship Management

  Watch

 

Oracle Mysql Enterprise Monitor

  Watch

 

Oracle Hyperion Infrastructure Technology

  Watch

 

Oracle Tuxedo

  Watch

 

Oracle E Business Suite Cloud Manager Cloud Backup Module

  Watch

 

Oracle Fusion Middleware Common Libraries Tools

  Watch

 

Oracle Timesten Grid

  Watch

 

Oracle Communications Offline Mediation Controller

  Watch

 

Oracle Stream Analytics

  Watch

 

Oracle Goldengate

  Watch

 

What versions are vulnerable to CVE-2021-4104?

•   Apache Log4j Version 1.2

•   Fedora Project Fedora Version 35

•   Red Hat Jboss Operations Network Version 3.0
•   Red Hat Jboss A Mq Version 6.0.0
•   Red Hat Enterprise Linux (RHEL) Version 7.0
•   Red Hat Enterprise Linux (RHEL) Version 6.0
•   Red Hat Jboss Enterprise Application Platform Version 6.0.0
•   Red Hat Jboss Enterprise Application Platform Version 7.0
•   Red Hat Jboss Fuse Version 6.0.0
•   Red Hat Jboss Fuse Service Works Version 6.0
•   Red Hat Jboss Web Server Version 3.0
•   Red Hat Jboss Data Virtualization Version 6.0.0
•   Red Hat Enterprise Linux (RHEL) Version 8.0
•   Red Hat Single Sign On Version 7.0
•   Red Hat Software Collections Version -
•   Red Hat Jboss Fuse Version 7.0.0
•   Red Hat Process Automation Version 7.0
•   Red Hat Jboss Data Grid Version 7.0.0
•   Red Hat Openshift Application Runtimes Version -
•   Red Hat Codeready Studio Version 12.0
•   Red Hat Integration Camel K Version -
•   Red Hat Openshift Container Platform Version 4.6
•   Red Hat Jboss A Mq Version 7
•   Red Hat Openshift Container Platform Version 4.7
•   Red Hat Integration Camel Quarkus Version -
•   Red Hat Jboss A Mq Streaming Version -
•   Red Hat Openshift Container Platform Version 4.8

•   Oracle Weblogic Server Version 12.2.1.3.0
•   Oracle Business Intelligence Version 12.2.1.3.0
•   Oracle Business Process Management Suite Version 12.2.1.3.0
•   Oracle Jdeveloper Version 12.2.1.3.0
•   Oracle Identity Management Suite Version 12.2.1.3.0
•   Oracle Business Intelligence Version 12.2.1.4.0
•   Oracle Communications Unified Inventory Management Version 7.3.4
•   Oracle Communications Unified Inventory Management Version 7.3.5
•   Oracle Weblogic Server Version 12.2.1.4.0
•   Oracle Weblogic Server Version 14.1.1.0.0
•   Oracle Enterprise Manager Base Platform Version 13.4.0.0
•   Oracle Communications Network Integrity Version 7.3.6
•   Oracle Business Process Management Suite Version 12.2.1.4.0
•   Oracle Advanced Supply Chain Planning Version 12.2
•   Oracle Advanced Supply Chain Planning Version 12.1
•   Oracle Communications Unified Inventory Management Version 7.4.1
•   Oracle Enterprise Manager Base Platform Version 13.5.0.0
•   Oracle Healthcare Data Repository Version 8.1.0
•   Oracle Communications Messaging Server Version 8.1
•   Oracle Business Intelligence Version 5.9.0.0.0
•   Oracle Communications Eagle Ftp Table Base Retrieval Version 4.5
•   Oracle Retail Extract Transform Load Version 13.2.5
•   Oracle Utilities Testing Accelerator Version 6.0.0.2.2
•   Oracle Utilities Testing Accelerator Version 6.0.0.3.1
•   Oracle Utilities Testing Accelerator Version 6.0.0.1.1
•   Oracle Retail Allocation Version 14.1.3.2
•   Oracle Retail Allocation Version 15.0.3.1
•   Oracle Retail Allocation Version 16.0.3
•   Oracle Retail Allocation Version 19.0.1
•   Oracle Communications Unified Inventory Management Version 7.4.2
•   Oracle Identity Management Suite Version 12.2.1.4.0
•   Oracle Financial Services Revenue Management Billing Analytics Version 2.7.0.0
•   Oracle Hyperion Data Relationship Management Fixed in Version 11.2.8.0
•   Oracle Financial Services Revenue Management Billing Analytics Version 2.8.0.0
•   Oracle Mysql Enterprise Monitor Up to Version 8.0.29
•   Oracle Hyperion Infrastructure Technology Fixed in Version 11.2.8.0
•   Oracle Tuxedo Version 12.2.2.0.0
•   Oracle E Business Suite Cloud Manager Cloud Backup Module Version 2.2.1.1.1
•   Oracle Financial Services Revenue Management Billing Analytics Version 2.7.0.1
•   Oracle Fusion Middleware Common Libraries Tools Version 12.2.1.4.0
•   Oracle Communications Offline Mediation Controller Version 12.0.0.5.0
•   Oracle Timesten Grid Version -
•   Oracle Communications Offline Mediation Controller Fixed in Version 12.0.0.4.0
•   Oracle Stream Analytics Version -
•   Oracle Goldengate Version -

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-4104