Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
CVE-2021-4104

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Log4j 1.x
Vendor: CVE Published:; 14 December 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 11%

Summary

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Affected Version(s)

Apache Log4j 1.x Apache Log4j 1.2 1.2.x

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

log4shell_1.x
Created by cckuailong

log4j
Created by open-AIMS

References

https://www.cve.org/CVERecord?id=CVE-2021-44228

https://github.com/apache/logging-log4j2/pull/608#issueco...

https://access.redhat.com/security/cve/CVE-2021-4104

EPSS Score

11% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 10, 2022
👾
Exploit known to exist
Jan 10, 2022
Vulnerability published
Dec 14, 2021
Vulnerability Reserved
Dec 13, 2021