CVE-2021-4104

HIGH EXPLOITED

Apache Log4j < 12.0.0.4.0 - Insecure Deserialization

Title source: rule

Description

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Exploits (3)

nomisec STUB 20 stars
by cckuailong · poc
https://github.com/cckuailong/log4shell_1.x
github FAILED 5 stars
by JAckLosingHeart · javapoc
https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/log4j-CVE-2021-4104
nomisec WORKING POC
by cuijiung · poc
https://github.com/cuijiung/log4j-CVE-2021-4104

References (14)

Scores

CVSS v3 7.5
EPSS 0.7220
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-04-26
CWE
CWE-502
Status published
Products (50)
apache/log4j 1.2
fedoraproject/fedora 35
log4j/log4j 1.2.0Maven
oracle/advanced_supply_chain_planning 12.1
oracle/advanced_supply_chain_planning 12.2
oracle/business_intelligence 5.9.0.0.0
oracle/business_intelligence 12.2.1.3.0
oracle/business_intelligence 12.2.1.4.0
oracle/business_process_management_suite 12.2.1.3.0
oracle/business_process_management_suite 12.2.1.4.0
... and 40 more
Published Dec 14, 2021
Tracked Since Feb 18, 2026