CVE-2021-4104
Severity
7.5HIGH
EPSS
69.3%
top 1.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 14
Latest updateJan 15
Description
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end o…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9
Affected Packages39 packages
Also affects: Fedora 35, Enterprise Linux 6.0, 7.0, 8.0, Openshift Container Platform 4.6, 4.7, 4.8
🔴Vulnerability Details
6💥Exploits & PoCs
1Nuclei▶
Flexnet - Remote Code Execution (Apache Log4j)
📋Vendor Advisories
11Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Security (Apache Log4j) — CVE-2021-4104↗2024-01-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Web Console Design (Apache Log4j) — CVE-2021-4104↗2023-07-15
Oracle▶
Oracle Oracle Enterprise Manager Risk Matrix: Application Service Level Management (Apache Log4j) — CVE-2021-4104↗2022-10-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (Apache Log4j) — CVE-2021-4104↗2022-01-15