Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2021-4104

Disclosure Date: December 14, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
5.9
Exploitability Score:
1.6
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • apache,
  • fedoraproject,
  • oracle,
  • redhat

Products

  • advanced supply chain planning 12.1,
  • advanced supply chain planning 12.2,
  • business intelligence 12.2.1.3.0,
  • business intelligence 12.2.1.4.0,
  • business intelligence 5.9.0.0.0,
  • business process management suite 12.2.1.3.0,
  • business process management suite 12.2.1.4.0,
  • codeready studio 12.0,
  • communications eagle ftp table base retrieval 4.5,
  • communications messaging server 8.1,
  • communications network integrity 7.3.6,
  • communications offline mediation controller,
  • communications offline mediation controller 12.0.0.5.0,
  • communications unified inventory management 7.3.4,
  • communications unified inventory management 7.3.5,
  • communications unified inventory management 7.4.1,
  • communications unified inventory management 7.4.2,
  • e-business suite cloud manager and cloud backup module 2.2.1.1.1,
  • enterprise linux 6.0,
  • enterprise linux 7.0,
  • enterprise linux 8.0,
  • enterprise manager base platform 13.4.0.0,
  • enterprise manager base platform 13.5.0.0,
  • fedora 35,
  • financial services revenue management and billing analytics 2.7.0.0,
  • financial services revenue management and billing analytics 2.7.0.1,
  • financial services revenue management and billing analytics 2.8.0.0,
  • fusion middleware common libraries and tools 12.2.1.4.0,
  • goldengate -,
  • healthcare data repository 8.1.0,
  • hyperion data relationship management,
  • hyperion infrastructure technology,
  • identity management suite 12.2.1.3.0,
  • identity management suite 12.2.1.4.0,
  • integration camel k -,
  • integration camel quarkus -,
  • jboss a-mq 6.0.0,
  • jboss a-mq 7,
  • jboss a-mq streaming -,
  • jboss data grid 7.0.0,
  • jboss data virtualization 6.0.0,
  • jboss enterprise application platform 6.0.0,
  • jboss enterprise application platform 7.0,
  • jboss fuse 6.0.0,
  • jboss fuse 7.0.0,
  • jboss fuse service works 6.0,
  • jboss operations network 3.0,
  • jboss web server 3.0,
  • jdeveloper 12.2.1.3.0,
  • log4j 1.2,
  • mysql enterprise monitor,
  • openshift application runtimes -,
  • openshift container platform 4.6,
  • openshift container platform 4.7,
  • openshift container platform 4.8,
  • process automation 7.0,
  • retail allocation 14.1.3.2,
  • retail allocation 15.0.3.1,
  • retail allocation 16.0.3,
  • retail allocation 19.0.1,
  • retail extract transform and load 13.2.5,
  • single sign-on 7.0,
  • software collections -,
  • stream analytics -,
  • timesten grid -,
  • tuxedo 12.2.2.0.0,
  • utilities testing accelerator 6.0.0.1.1,
  • utilities testing accelerator 6.0.0.2.2,
  • utilities testing accelerator 6.0.0.3.1,
  • weblogic server 12.2.1.3.0,
  • weblogic server 12.2.1.4.0,
  • weblogic server 14.1.1.0.0
Technical Analysis