CVE-2021-4104

CVSS v3.1 7.5 (High)

CVSS v2.0 6 (Medium)

EPSS 15.91 % (96^th)

Affected Products 46

Advisories 33

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Weaknesses

CWE-502: Deserialization of Untrusted Data

Related CVEs

CVE Status: PUBLISHED
CNA: Apache Software Foundation
Published Date: 2021-12-14 12:15:12
(2 years ago)
Updated Date: 2023-12-22 09:15:36
(8 months ago)

Affected Products

Apache

Log4j

Fedoraproject

Fedora

Oracle

Redhat

Configuration #1

		CPE23	From	Up To
	Apache Log4j 1.2	cpe:2.3:a:apache:log4j:1.2

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 35	cpe:2.3:o:fedoraproject:fedora:35

Configuration #3

		CPE23	From	Up To
	Redhat Codeready Studio 12.0	cpe:2.3:a:redhat:codeready_studio:12.0
	Redhat Integration Camel K	cpe:2.3:a:redhat:integration_camel_k:-
	Redhat Integration Camel Quarkus	cpe:2.3:a:redhat:integration_camel_quarkus:-
	Redhat Jboss A-mq 6.0.0	cpe:2.3:a:redhat:jboss_a-mq:6.0.0
	Redhat Jboss A-mq 7	cpe:2.3:a:redhat:jboss_a-mq:7
	Redhat Jboss A-mq Streaming	cpe:2.3:a:redhat:jboss_a-mq_streaming:-
	Redhat Jboss Data Grid 7.0.0	cpe:2.3:a:redhat:jboss_data_grid:7.0.0
	Redhat Jboss Data Virtualization 6.0.0	cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0
	Redhat Jboss Enterprise Application Platform 6.0.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0
	Redhat Jboss Enterprise Application Platform 7.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0
	Redhat Jboss Fuse 6.0.0	cpe:2.3:a:redhat:jboss_fuse:6.0.0
	Redhat Jboss Fuse 7.0.0	cpe:2.3:a:redhat:jboss_fuse:7.0.0
	Redhat Jboss Fuse Service Works 6.0	cpe:2.3:a:redhat:jboss_fuse_service_works:6.0
	Redhat Jboss Operations Network 3.0	cpe:2.3:a:redhat:jboss_operations_network:3.0
	Redhat Jboss Web Server 3.0	cpe:2.3:a:redhat:jboss_web_server:3.0
	Redhat Openshift Application Runtimes	cpe:2.3:a:redhat:openshift_application_runtimes:-
	Redhat Openshift Container Platform 4.6	cpe:2.3:a:redhat:openshift_container_platform:4.6
	Redhat Openshift Container Platform 4.7	cpe:2.3:a:redhat:openshift_container_platform:4.7
	Redhat Openshift Container Platform 4.8	cpe:2.3:a:redhat:openshift_container_platform:4.8
	Redhat Process Automation 7.0	cpe:2.3:a:redhat:process_automation:7.0
	Redhat Single Sign-on 7.0	cpe:2.3:a:redhat:single_sign-on:7.0
	Redhat Software Collections	cpe:2.3:a:redhat:software_collections:-
	Redhat Enterprise Linux 6.0	cpe:2.3:o:redhat:enterprise_linux:6.0
	Redhat Enterprise Linux 7.0	cpe:2.3:o:redhat:enterprise_linux:7.0
	Redhat Enterprise Linux 8.0	cpe:2.3:o:redhat:enterprise_linux:8.0

Configuration #4

	CPE23	Up To
Oracle Advanced Supply Chain Planning 12.1	cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1
Oracle Advanced Supply Chain Planning 12.2	cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2
Oracle Business Intelligence 5.9.0.0.0	cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:::*:enterprise
Oracle Business Intelligence 12.2.1.3.0	cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:::*:enterprise
Oracle Business Intelligence 12.2.1.4.0	cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:::*:enterprise
Oracle Business Process Management Suite 12.2.1.3.0	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0
Oracle Business Process Management Suite 12.2.1.4.0	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0
Oracle Communications Eagle Ftp Table Base Retrieval 4.5	cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5
Oracle Communications Messaging Server 8.1	cpe:2.3:a:oracle:communications_messaging_server:8.1
Oracle Communications Network Integrity 7.3.6	cpe:2.3:a:oracle:communications_network_integrity:7.3.6
Oracle Communications Offline Mediation Controller prior 12.0.0.4.0 version	cpe:2.3:a:oracle:communications_offline_mediation_controller	< 12.0.0.4.0
Oracle Communications Offline Mediation Controller 12.0.0.5.0	cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0
Oracle Communications Unified Inventory Management 7.3.4	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4
Oracle Communications Unified Inventory Management 7.3.5	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5
Oracle Communications Unified Inventory Management 7.4.1	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1
Oracle Communications Unified Inventory Management 7.4.2	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2
Oracle E-business Suite Cloud Manager And Cloud Backup Module 2.2.1.1.1	cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1
Oracle Enterprise Manager Base Platform 13.4.0.0	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0
Oracle Enterprise Manager Base Platform 13.5.0.0	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0
Oracle Financial Services Revenue Management And Billing Analytics 2.7.0.0	cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0
Oracle Financial Services Revenue Management And Billing Analytics 2.7.0.1	cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1
Oracle Financial Services Revenue Management And Billing Analytics 2.8.0.0	cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0
Oracle Fusion Middleware Common Libraries And Tools 12.2.1.4.0	cpe:2.3:a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0
Oracle Goldengate	cpe:2.3:a:oracle:goldengate:-
Oracle Healthcare Data Repository 8.1.0	cpe:2.3:a:oracle:healthcare_data_repository:8.1.0
Oracle Hyperion Data Relationship Management prior 11.2.8.0 version	cpe:2.3:a:oracle:hyperion_data_relationship_management	< 11.2.8.0
Oracle Hyperion Infrastructure Technology prior 11.2.8.0 version	cpe:2.3:a:oracle:hyperion_infrastructure_technology	< 11.2.8.0
Oracle Identity Management Suite 12.2.1.3.0	cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0
Oracle Identity Management Suite 12.2.1.4.0	cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0
Oracle Jdeveloper 12.2.1.3.0	cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0
Oracle Mysql Enterprise Monitor 8.0.29 and prior versions	cpe:2.3:a:oracle:mysql_enterprise_monitor	<= 8.0.29
Oracle Retail Allocation 14.1.3.2	cpe:2.3:a:oracle:retail_allocation:14.1.3.2
Oracle Retail Allocation 15.0.3.1	cpe:2.3:a:oracle:retail_allocation:15.0.3.1
Oracle Retail Allocation 16.0.3	cpe:2.3:a:oracle:retail_allocation:16.0.3
Oracle Retail Allocation 19.0.1	cpe:2.3:a:oracle:retail_allocation:19.0.1
Oracle Retail Extract Transform And Load 13.2.5	cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5
Oracle Stream Analytics	cpe:2.3:a:oracle:stream_analytics:-
Oracle Timesten Grid	cpe:2.3:a:oracle:timesten_grid:-
Oracle Tuxedo 12.2.2.0.0	cpe:2.3:a:oracle:tuxedo:12.2.2.0.0
Oracle Utilities Testing Accelerator 6.0.0.1.1	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1
Oracle Utilities Testing Accelerator 6.0.0.2.2	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2
Oracle Utilities Testing Accelerator 6.0.0.3.1	cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1
Oracle Weblogic Server 12.2.1.3.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0
Oracle Weblogic Server 12.2.1.4.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0
Oracle Weblogic Server 14.1.1.0.0	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0