CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

Published Dec 10, 2021
·
Updated

A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender.

In 1.x you will find that there are two places where lookups are done - that is JMSAppender.java:207 and JMSAppender.java:222 - if you set TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a" JNDI will do exactly the same thing it does for 2.x - so 1.x is vulnerable, just attack vector is "safer" as it depends on configuration rather than user input

This flaw in Log4j 2.x is tracked via CVE-2021-44228

Other sources

A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JNDI LDAP endpoint.

Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system.

IBM

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Affected Software

225 affected componentsFixes available
redhat/log4j<0:1.2.14-6.5.el6_10
0:1.2.14-6.5.el6_10
redhat/log4j<0:1.2.17-17.el7_4
0:1.2.17-17.el7_4
redhat/log4j<0:1.2.17-16.el7_3
0:1.2.17-16.el7_3
redhat/log4j-eap6<0:1.2.17-3.redhat_00008.1.ep6.el6
0:1.2.17-3.redhat_00008.1.ep6.el6
redhat/log4j-jboss-logmanager<0:1.1.4-3.Final_redhat_00002.1.ep6.el6
0:1.1.4-3.Final_redhat_00002.1.ep6.el6
redhat/jboss-as-appclient<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossas-appclient<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossas-bundles<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-cli<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-client-all<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-clustering<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-cmp<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-configadmin<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-connector<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-controller<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-controller-client<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossas-core<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-core-security<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-deployment-repository<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-deployment-scanner<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossas-domain<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-domain-http<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-domain-management<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-ee<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-ee-deployment<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-ejb3<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-embedded<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-host-controller<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-jacorb<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossas-javadocs<0:7.5.24-1.Final_redhat_00001.1.ep6.el6
0:7.5.24-1.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-jaxr<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-jaxrs<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-jdr<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-jmx<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-jpa<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-jsf<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-jsr77<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-logging<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-mail<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-management-client-content<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-messaging<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-modcluster<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossas-modules-eap<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-naming<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-network<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-osgi<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-osgi-configadmin<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-osgi-service<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-picketlink<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-platform-mbean<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-pojo<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-process-controller<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossas-product-eap<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-protocol<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-remoting<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-sar<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-security<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-server<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossas-standalone<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-system-jmx<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-threads<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-transactions<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-version<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-web<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-webservices<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossas-welcome-content-eap<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-weld<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jboss-as-xts<0:7.5.24-2.Final_redhat_00001.1.ep6.el6
0:7.5.24-2.Final_redhat_00001.1.ep6.el6
redhat/jbossts<1:4.17.45-2.Final_redhat_2.1.ep6.el6
1:4.17.45-2.Final_redhat_2.1.ep6.el6
redhat/jbossweb<0:7.5.32-2.Final_redhat_1.2.ep6.el6
0:7.5.32-2.Final_redhat_1.2.ep6.el6
redhat/log4j-eap6<0:1.2.17-3.redhat_00008.1.ep6.el7
0:1.2.17-3.redhat_00008.1.ep6.el7
redhat/log4j-jboss-logmanager<0:1.1.4-3.Final_redhat_00002.1.ep6.el7
0:1.1.4-3.Final_redhat_00002.1.ep6.el7
redhat/jboss-as-appclient<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossas-appclient<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossas-bundles<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-cli<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-client-all<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-clustering<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-cmp<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-configadmin<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-connector<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-controller<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-controller-client<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossas-core<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-core-security<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-deployment-repository<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-deployment-scanner<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossas-domain<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-domain-http<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-domain-management<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-ee<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-ee-deployment<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-ejb3<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-embedded<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-host-controller<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-jacorb<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossas-javadocs<0:7.5.24-1.Final_redhat_00001.1.ep6.el7
0:7.5.24-1.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-jaxr<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-jaxrs<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-jdr<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-jmx<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-jpa<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-jsf<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-jsr77<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-logging<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-mail<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-management-client-content<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-messaging<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-modcluster<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossas-modules-eap<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-naming<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-network<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-osgi<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-osgi-configadmin<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-osgi-service<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-picketlink<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-platform-mbean<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-pojo<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-process-controller<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossas-product-eap<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-protocol<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-remoting<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-sar<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-security<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-server<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossas-standalone<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-system-jmx<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-threads<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-transactions<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-version<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-web<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-webservices<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossas-welcome-content-eap<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-weld<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jboss-as-xts<0:7.5.24-2.Final_redhat_00001.1.ep6.el7
0:7.5.24-2.Final_redhat_00001.1.ep6.el7
redhat/jbossts<1:4.17.45-2.Final_redhat_2.1.ep6.el7
1:4.17.45-2.Final_redhat_2.1.ep6.el7
redhat/jbossweb<0:7.5.32-2.Final_redhat_1.2.ep6.el7
0:7.5.32-2.Final_redhat_1.2.ep6.el7
redhat/eap7-log4j-jboss-logmanager<0:1.2.2-1.Final_redhat_00002.1.el8ea
0:1.2.2-1.Final_redhat_00002.1.el8ea
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el8ea
0:2.17.1-1.redhat_00001.1.el8ea
redhat/eap7-log4j-jboss-logmanager<0:1.2.2-1.Final_redhat_00002.1.el7ea
0:1.2.2-1.Final_redhat_00002.1.el7ea
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el7ea
0:2.17.1-1.redhat_00001.1.el7ea
redhat/tomcat7<0:7.0.70-46.ep7.el7
0:7.0.70-46.ep7.el7
redhat/tomcat8<0:8.0.36-49.ep7.el7
0:8.0.36-49.ep7.el7
redhat/tomcat-native<0:1.2.23-26.redhat_26.ep7.el7
0:1.2.23-26.redhat_26.ep7.el7
redhat/rh-sso7-keycloak<0:15.0.4-1.redhat_00003.1.el7
0:15.0.4-1.redhat_00003.1.el7
redhat/rh-sso7-keycloak<0:15.0.4-1.redhat_00003.1.el8
0:15.0.4-1.redhat_00003.1.el8
redhat/rh-maven36-log4j12<0:1.2.17-23.3.el7
0:1.2.17-23.3.el7
redhat/snmp4j<0:3.6.4-0.1.el8e
0:3.6.4-0.1.el8e
redhat/redhat-sso<7-sso75-openshift-rhel8
7-sso75-openshift-rhel8
maven/org.zenframework.z8.dependencies.commons:log4j-1.2.17<=2.0
maven/log4j:log4j>=1.2.0<=1.2.17
IBM QRadar SIEM<=7.5 - 7.5.0 UP7
Apache Log4j=1.2
Fedoraproject Fedora=35
redhat Codeready Studio=12.0
redhat Integration Camel K
redhat Integration Camel Quarkus
redhat JBoss A-MQ=6.0.0
redhat JBoss A-MQ=7
redhat Jboss A-mq Streaming
redhat Jboss Data Grid=7.0.0
redhat Jboss Data Virtualization=6.0.0
redhat JBoss Enterprise Application Platform=6.0.0
redhat JBoss Enterprise Application Platform=7.0
redhat Jboss Fuse=6.0.0
redhat Jboss Fuse=7.0.0
redhat Jboss Fuse Service Works=6.0
redhat JBoss Operations Network=3.0
redhat Jboss Web Server=3.0
redhat Openshift Application Runtimes
redhat OpenShift Container Platform=4.6
redhat OpenShift Container Platform=4.7
redhat OpenShift Container Platform=4.8
redhat Process Automation=7.0
redhat Single Sign-on=7.0
redhat Software Collections
redhat Enterprise Linux=6.0
redhat Enterprise Linux=7.0
redhat Enterprise Linux=8.0
Oracle Advanced Supply Chain Planning=12.1
Oracle Advanced Supply Chain Planning=12.2
Oracle Business Intelligence=5.9.0.0.0
Oracle Business Intelligence=12.2.1.3.0
Oracle Business Intelligence=12.2.1.4.0
Oracle Business Process Management Suite=12.2.1.3.0
Oracle Business Process Management Suite=12.2.1.4.0
Oracle Communications Eagle Ftp Table Base Retrieval=4.5
Oracle Communications Messaging Server=8.1
Oracle Communications Network Integrity=7.3.6
Oracle Communications Offline Mediation Controller<12.0.0.4.0
Oracle Communications Offline Mediation Controller=12.0.0.5.0
Oracle Communications Unified Inventory Management=7.3.4
Oracle Communications Unified Inventory Management=7.3.5
Oracle Communications Unified Inventory Management=7.4.1
Oracle Communications Unified Inventory Management=7.4.2
Oracle E-business Suite Cloud Manager And Cloud Backup Module=2.2.1.1.1
Oracle Enterprise Manager Base Platform=13.4.0.0
Oracle Enterprise Manager Base Platform=13.5.0.0
Oracle Financial Services Revenue Management And Billing Analytics=2.7.0.0
Oracle Financial Services Revenue Management And Billing Analytics=2.7.0.1
Oracle Financial Services Revenue Management And Billing Analytics=2.8.0.0
Oracle Fusion Middleware Common Libraries And Tools=12.2.1.4.0
Oracle GoldenGate
Oracle Healthcare Data Repository=8.1.0
Oracle Hyperion Data Relationship Management<11.2.8.0
Oracle Hyperion Infrastructure Technology<11.2.8.0
Oracle Identity Management Suite=12.2.1.3.0
Oracle Identity Management Suite=12.2.1.4.0
Oracle JDeveloper=12.2.1.3.0
Oracle MySQL Enterprise Monitor<=8.0.29
Oracle Retail Allocation=14.1.3.2
Oracle Retail Allocation=15.0.3.1
Oracle Retail Allocation=16.0.3
Oracle Retail Allocation=19.0.1
Oracle Retail Extract Transform And Load=13.2.5
Oracle Stream Analytics
Oracle Timesten Grid
Oracle Tuxedo=12.2.2.0.0
Oracle Utilities Testing Accelerator=6.0.0.1.1
Oracle Utilities Testing Accelerator=6.0.0.2.2
Oracle Utilities Testing Accelerator=6.0.0.3.1
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
redhat/log4j<2.15.0
2.15.0

Remediation

Patch Available

https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

Patch Available

https://www.kb.cert.org/vuls/id/930724

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2022.html

Information

These are the possible mitigations for this flaw for releases version 1.x: - Comment out or remove JMSAppender in the Log4j configuration if it is used - Remove the JMSAppender class from the classpath. For example: ``` zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class ``` - Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.

Event History

Dec 10, 2021
CVE Published
12:00 AM
Dec 13, 2021
Data Sourced
via Red Hat·07:54 AM
DescriptionSeverityAffected Software
Dec 14, 2021
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
Data Sourced
via NVD·12:15 PM
DescriptionSeverityWeaknessAffected Software
Advisory Published
07:49 PM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2021-4104?

The severity of CVE-2021-4104 is classified as low, but it still poses a risk due to potential remote code execution via JNDI lookups.

2

How do I fix CVE-2021-4104?

To fix CVE-2021-4104, update your Log4j to versions 1.2.17-3.redhat_00008.1.ep6 or later, or to any version above 2.15.0.

3

Who is affected by CVE-2021-4104?

CVE-2021-4104 affects applications using Apache Log4j version 1.2.0 to 1.2.17, particularly those with write access to the Log4j configuration.

4

What types of attacks can CVE-2021-4104 enable?

CVE-2021-4104 can potentially enable remote code execution attacks by allowing an attacker to manipulate JMSAppender configuration.

5

Is there a workaround for CVE-2021-4104?

A possible workaround for CVE-2021-4104 is to disable the JMSAppender or restrict modification rights on the Log4j configuration.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203