CVE-2021-4104 vulnerability in Apache and Other Products
Published on December 14, 2021
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Vulnerability Analysis
CVE-2021-4104 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.6 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2021-4104 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2021-4104 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2021-4104
You can be notified by stack.watch whenever vulnerabilities like CVE-2021-4104 are published in these products:
What versions are vulnerable to CVE-2021-4104?
-
Apache Log4j
Version 1.2
-
Fedora Project Fedora
Version 35
-
Red Hat Jboss Operations Network
Version 3.0
-
Red Hat Jboss A Mq
Version 6.0.0
-
Red Hat Enterprise Linux (RHEL)
Version 7.0
-
Red Hat Enterprise Linux (RHEL)
Version 6.0
-
Red Hat Jboss Enterprise Application Platform
Version 6.0.0
-
Red Hat Jboss Enterprise Application Platform
Version 7.0
-
Red Hat Jboss Fuse
Version 6.0.0
-
Red Hat Jboss Fuse Service Works
Version 6.0
-
Red Hat Jboss Web Server
Version 3.0
-
Red Hat Jboss Data Virtualization
Version 6.0.0
-
Red Hat Enterprise Linux (RHEL)
Version 8.0
-
Red Hat Single Sign On
Version 7.0
-
Red Hat Software Collections
Version -
-
Red Hat Jboss Fuse
Version 7.0.0
-
Red Hat Process Automation
Version 7.0
-
Red Hat Jboss Data Grid
Version 7.0.0
-
Red Hat Openshift Application Runtimes
Version -
-
Red Hat Codeready Studio
Version 12.0
-
Red Hat Integration Camel K
Version -
-
Red Hat Openshift Container Platform
Version 4.6
-
Red Hat Jboss A Mq
Version 7
-
Red Hat Openshift Container Platform
Version 4.7
-
Red Hat Integration Camel Quarkus
Version -
-
Red Hat Jboss A Mq Streaming
Version -
-
Red Hat Openshift Container Platform
Version 4.8
-
Oracle Weblogic Server
Version 12.2.1.3.0
-
Oracle Business Intelligence
Version 12.2.1.3.0
-
Oracle Business Process Management Suite
Version 12.2.1.3.0
-
Oracle Jdeveloper
Version 12.2.1.3.0
-
Oracle Identity Management Suite
Version 12.2.1.3.0
-
Oracle Business Intelligence
Version 12.2.1.4.0
-
Oracle Communications Unified Inventory Management
Version 7.3.4
-
Oracle Communications Unified Inventory Management
Version 7.3.5
-
Oracle Weblogic Server
Version 12.2.1.4.0
-
Oracle Weblogic Server
Version 14.1.1.0.0
-
Oracle Enterprise Manager Base Platform
Version 13.4.0.0
-
Oracle Communications Network Integrity
Version 7.3.6
-
Oracle Business Process Management Suite
Version 12.2.1.4.0
-
Oracle Advanced Supply Chain Planning
Version 12.2
-
Oracle Advanced Supply Chain Planning
Version 12.1
-
Oracle Communications Unified Inventory Management
Version 7.4.1
-
Oracle Enterprise Manager Base Platform
Version 13.5.0.0
-
Oracle Healthcare Data Repository
Version 8.1.0
-
Oracle Communications Messaging Server
Version 8.1
-
Oracle Business Intelligence
Version 5.9.0.0.0
-
Oracle Communications Eagle Ftp Table Base Retrieval
Version 4.5
-
Oracle Utilities Testing Accelerator
Version 6.0.0.2.2
-
Oracle Utilities Testing Accelerator
Version 6.0.0.3.1
-
Oracle Utilities Testing Accelerator
Version 6.0.0.1.1
-
Oracle Retail Allocation
Version 14.1.3.2
-
Oracle Retail Allocation
Version 15.0.3.1
-
Oracle Retail Extract Transform Load
Version 13.2.5
-
Oracle Retail Allocation
Version 16.0.3
-
Oracle Retail Allocation
Version 19.0.1
-
Oracle Communications Unified Inventory Management
Version 7.4.2
-
Oracle Identity Management Suite
Version 12.2.1.4.0
-
Oracle Financial Services Revenue Management Billing Analytics
Version 2.7.0.0
-
Oracle Hyperion Data Relationship Management
Fixed in Version 11.2.8.0
-
Oracle Financial Services Revenue Management Billing Analytics
Version 2.8.0.0
-
Oracle Mysql Enterprise Monitor
Up to Version 8.0.29
-
Oracle Hyperion Infrastructure Technology
Fixed in Version 11.2.8.0
-
Oracle Tuxedo
Version 12.2.2.0.0
-
Oracle E Business Suite Cloud Manager Cloud Backup Module
Version 2.2.1.1.1
-
Oracle Financial Services Revenue Management Billing Analytics
Version 2.7.0.1
-
Oracle Fusion Middleware Common Libraries Tools
Version 12.2.1.4.0
-
Oracle Timesten Grid
Version -
-
Oracle Communications Offline Mediation Controller
Fixed in Version 12.0.0.4.0
-
Oracle Communications Offline Mediation Controller
Version 12.0.0.5.0
-
Oracle Stream Analytics
Version -
-
Oracle Goldengate
Version -
Vulnerable Packages
The following package name and versions may be associated with CVE-2021-4104
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | ru.yandex.clickhouse:clickhouse-jdbc-bridge | < 2.0.7 | 2.0.7 |