CVE-2021-4104

HIGH EXPLOITED

Apache Log4j < 12.0.0.4.0 - Insecure Deserialization

Title source: rule

Description

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Exploits (3)

nomisec STUB 20 stars
by cckuailong · poc
https://github.com/cckuailong/log4shell_1.x
github FAILED 5 stars
by JAckLosingHeart · javapoc
https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/log4j-CVE-2021-4104
nomisec WORKING POC
by cuijiung · poc
https://github.com/cuijiung/log4j-CVE-2021-4104

References (14)

Scores

CVSS v3 7.5
EPSS 0.7220
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2022-04-26

Classification

CWE
CWE-502
Status published

Affected Products (50)

apache/log4j
fedoraproject/fedora
redhat/codeready_studio
redhat/integration_camel_k
redhat/integration_camel_quarkus
redhat/jboss_a-mq
redhat/jboss_a-mq
redhat/jboss_a-mq_streaming
redhat/jboss_data_grid
redhat/jboss_data_virtualization
redhat/jboss_enterprise_application_platform
redhat/jboss_enterprise_application_platform
redhat/jboss_fuse
redhat/jboss_fuse
redhat/jboss_fuse_service_works
... and 35 more

Timeline

Published Dec 14, 2021
Tracked Since Feb 18, 2026