Vulnerability Details CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.737
EPSS Ranking 98.7%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 6.0
References
- http://www.openwall.com/lists/oss-security/2022/01/18/3
- https://access.redhat.com/security/cve/CVE-2021-4104
- https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
- https://security.gentoo.org/glsa/202209-02
- https://security.gentoo.org/glsa/202310-16
- https://security.gentoo.org/glsa/202312-02
- https://security.gentoo.org/glsa/202312-04
- https://security.netapp.com/advisory/ntap-20211223-0007/
- https://www.cve.org/CVERecord?id=CVE-2021-44228
- https://www.kb.cert.org/vuls/id/930724
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://www.openwall.com/lists/oss-security/2022/01/18/3
- https://access.redhat.com/security/cve/CVE-2021-4104
- https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
- https://security.gentoo.org/glsa/202209-02
- https://security.gentoo.org/glsa/202310-16
- https://security.gentoo.org/glsa/202312-02
- https://security.gentoo.org/glsa/202312-04
- https://security.netapp.com/advisory/ntap-20211223-0007/
- https://www.cve.org/CVERecord?id=CVE-2021-44228
- https://www.kb.cert.org/vuls/id/930724
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Products affected by CVE-2021-4104
-
cpe:2.3:a:apache:log4j:1.2
-
cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1
-
cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2
-
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0
-
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0
-
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0
-
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0
-
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0
-
cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5
-
cpe:2.3:a:oracle:communications_messaging_server:8.1
-
cpe:2.3:a:oracle:communications_network_integrity:7.3.6
-
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3
-
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0
-
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2
-
cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1
-
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0
-
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0
-
cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0
-
cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1
-
cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0
-
cpe:2.3:a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0
-
cpe:2.3:a:oracle:goldengate:-
-
cpe:2.3:a:oracle:healthcare_data_repository:8.1.0
-
cpe:2.3:a:oracle:hyperion_data_relationship_management:-
-
cpe:2.3:a:oracle:hyperion_data_relationship_management:11.1.2.4
-
cpe:2.3:a:oracle:hyperion_data_relationship_management:11.1.2.4.330
-
cpe:2.3:a:oracle:hyperion_data_relationship_management:11.1.2.4.344
-
cpe:2.3:a:oracle:hyperion_data_relationship_management:11.1.2.4.345
-
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4
-
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.6.0
-
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.5.0
-
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.6.0
-
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.7.0
-
cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0
-
cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0
-
cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:-
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:2.3.14
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.0.25
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.0.4
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.0
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.1
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.2
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.3
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.3.7856
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.4
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.5
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.6
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.6.8003
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.1.7
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.0
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.1
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.10
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.1182
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.2
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.3
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.4
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.5
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.6
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.7
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.8
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.8.2223
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.2.9
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.0
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.1
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.2
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.2.1162
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.3
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.4
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.4.3247
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.5
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.6
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.6.3293
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.7
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.8
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.3.9
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.0
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.1
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.10
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.2
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.2.4181
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.3
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.4
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.4.4226
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.5
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.6
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.7
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.7.4297
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.8
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.9
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:3.4.9.4237
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.0
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.0.5135
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.1
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.11.5331
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.12
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.2
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.3
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.4
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.4.5235
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.5
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.6
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.6.5281
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.7
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.0.8
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:4.1
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.0
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.0.8131
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.1
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.14
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.18.1217
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.2
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.2.8191
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.20
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.21
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.22
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.23
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.25
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.29
-
cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.3
-
cpe:2.3:a:oracle:retail_allocation:14.1.3.2
-
cpe:2.3:a:oracle:retail_allocation:15.0.3.1
-
cpe:2.3:a:oracle:retail_allocation:16.0.3
-
cpe:2.3:a:oracle:retail_allocation:19.0.1
-
cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5
-
cpe:2.3:a:oracle:stream_analytics:-
-
cpe:2.3:a:oracle:timesten_grid:-
-
cpe:2.3:a:oracle:tuxedo:12.2.2.0.0
-
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1
-
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2
-
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1
-
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0
-
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0
-
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0
-
cpe:2.3:a:redhat:codeready_studio:12.0
-
cpe:2.3:a:redhat:integration_camel_k:-
-
cpe:2.3:a:redhat:integration_camel_quarkus:-
-
cpe:2.3:a:redhat:jboss_a-mq:6.0.0
-
cpe:2.3:a:redhat:jboss_a-mq:7
-
cpe:2.3:a:redhat:jboss_a-mq_streaming:-
-
cpe:2.3:a:redhat:jboss_data_grid:7.0.0
-
cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0
-
cpe:2.3:a:redhat:jboss_fuse:6.0.0
-
cpe:2.3:a:redhat:jboss_fuse:7.0.0
-
cpe:2.3:a:redhat:jboss_fuse_service_works:6.0
-
cpe:2.3:a:redhat:jboss_operations_network:3.0
-
cpe:2.3:a:redhat:jboss_web_server:3.0
-
cpe:2.3:a:redhat:openshift_application_runtimes:-
-
cpe:2.3:a:redhat:openshift_container_platform:4.6
-
cpe:2.3:a:redhat:openshift_container_platform:4.7
-
cpe:2.3:a:redhat:openshift_container_platform:4.8
-
cpe:2.3:a:redhat:process_automation:7.0
-
cpe:2.3:a:redhat:single_sign-on:7.0
-
cpe:2.3:a:redhat:software_collections:-
-
cpe:2.3:o:fedoraproject:fedora:35
-
cpe:2.3:o:redhat:enterprise_linux:6.0
-
cpe:2.3:o:redhat:enterprise_linux:7.0
-
cpe:2.3:o:redhat:enterprise_linux:8.0