Strix
26.1K

CVE-2021-4104

HIGHCVSS 7.5/10EPSS 81.15%

Last modified

CVE-2021-4104 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. EPSS estimates a 81.15% chance of exploitation in the next 30 days.

Description

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
81.15%

99.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ApacheLog4j1.2
FedoraprojectFedora35
RedhatCodeready Studio12.0
RedhatIntegration Camel KAll versions
RedhatIntegration Camel QuarkusAll versions
RedhatJboss A-Mq6.0.0
RedhatJboss A-Mq7
RedhatJboss A-Mq StreamingAll versions
RedhatJboss Data Grid7.0.0
RedhatJboss Data Virtualization6.0.0
RedhatJboss Enterprise Application Platform6.0.0
RedhatJboss Enterprise Application Platform7.0
RedhatJboss Fuse6.0.0
RedhatJboss Fuse7.0.0
RedhatJboss Fuse Service Works6.0
RedhatJboss Operations Network3.0
RedhatJboss Web Server3.0
RedhatOpenshift Application RuntimesAll versions
RedhatOpenshift Container Platform4.6
RedhatOpenshift Container Platform4.7
RedhatOpenshift Container Platform4.8
RedhatProcess Automation7.0
RedhatSingle Sign-On7.0
RedhatSoftware CollectionsAll versions
RedhatEnterprise Linux6.0
RedhatEnterprise Linux7.0
RedhatEnterprise Linux8.0
OracleAdvanced Supply Chain Planning12.1
OracleAdvanced Supply Chain Planning12.2
OracleBusiness Intelligence5.9.0.0.0
OracleBusiness Intelligence12.2.1.3.0
OracleBusiness Intelligence12.2.1.4.0
OracleBusiness Process Management Suite12.2.1.3.0
OracleBusiness Process Management Suite12.2.1.4.0
OracleCommunications Eagle Ftp Table Base Retrieval4.5
OracleCommunications Messaging Server8.1
OracleCommunications Network Integrity7.3.6
OracleCommunications Offline Mediation Controller< 12.0.0.4.0
OracleCommunications Offline Mediation Controller12.0.0.5.0
OracleCommunications Unified Inventory Management7.3.4
OracleCommunications Unified Inventory Management7.3.5
OracleCommunications Unified Inventory Management7.4.1
OracleCommunications Unified Inventory Management7.4.2
OracleE-Business Suite Cloud Manager And Cloud Backup Module2.2.1.1.1
OracleEnterprise Manager Base Platform13.4.0.0
OracleEnterprise Manager Base Platform13.5.0.0
OracleFinancial Services Revenue Management And Billing Analytics2.7.0.0
OracleFinancial Services Revenue Management And Billing Analytics2.7.0.1
OracleFinancial Services Revenue Management And Billing Analytics2.8.0.0
OracleFusion Middleware Common Libraries And Tools12.2.1.4.0

Showing 50 of 72 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-4104?
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
How severe is CVE-2021-4104?
CVE-2021-4104 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 81.15% probability of exploitation in the next 30 days.
How do I fix CVE-2021-4104?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-4104?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST