7.5

CVE-2021-4104

EPSS 72.2%
Published 14.12.2021 12:15:12
Last modified 21.11.2024 06:36:54
Source security@apache.org
Teams watchlist Login
Open Login

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Affected products Warnungen 0 Metrics 3 CWE 1 References 17

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Log4j Version1.2

Fedoraproject ≫ Fedora Version35

Redhat ≫ Codeready Studio Version12.0

Redhat ≫ Integration Camel K Version-

Redhat ≫ Integration Camel Quarkus Version-

Redhat ≫ Jboss A-mq Version6.0.0

Redhat ≫ Jboss A-mq Version7

Redhat ≫ Jboss A-mq Streaming Version-

Redhat ≫ Jboss Data Grid Version7.0.0

Redhat ≫ Jboss Data Virtualization Version6.0.0

Redhat ≫ Jboss Enterprise Application Platform Version6.0.0

Redhat ≫ Jboss Enterprise Application Platform Version7.0

Redhat ≫ Jboss Fuse Version6.0.0

Redhat ≫ Jboss Fuse Version7.0.0

Redhat ≫ Jboss Fuse Service Works Version6.0

Redhat ≫ Jboss Operations Network Version3.0

Redhat ≫ Jboss Web Server Version3.0

Redhat ≫ Openshift Application Runtimes Version-

Redhat ≫ Openshift Container Platform Version4.6

Redhat ≫ Openshift Container Platform Version4.7

Redhat ≫ Openshift Container Platform Version4.8

Redhat ≫ Process Automation Version7.0

Redhat ≫ Single Sign-on Version7.0

Redhat ≫ Software Collections Version-

Redhat ≫ Enterprise Linux Version6.0

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Enterprise Linux Version8.0

Oracle ≫ Advanced Supply Chain Planning Version12.1

Oracle ≫ Advanced Supply Chain Planning Version12.2

Oracle ≫ Business Intelligence Version5.9.0.0.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version12.2.1.3.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version12.2.1.4.0 SwEditionenterprise

Oracle ≫ Business Process Management Suite Version12.2.1.3.0

Oracle ≫ Business Process Management Suite Version12.2.1.4.0

Oracle ≫ Communications Eagle Ftp Table Base Retrieval Version4.5

Oracle ≫ Communications Messaging Server Version8.1

Oracle ≫ Communications Network Integrity Version7.3.6

Oracle ≫ Communications Offline Mediation Controller Version < 12.0.0.4.0

Oracle ≫ Communications Offline Mediation Controller Version12.0.0.5.0

Oracle ≫ Communications Unified Inventory Management Version7.3.4

Oracle ≫ Communications Unified Inventory Management Version7.3.5

Oracle ≫ Communications Unified Inventory Management Version7.4.1

Oracle ≫ Communications Unified Inventory Management Version7.4.2

Oracle ≫ E-business Suite Cloud Manager And Cloud Backup Module Version2.2.1.1.1

Oracle ≫ Enterprise Manager Base Platform Version13.4.0.0

Oracle ≫ Enterprise Manager Base Platform Version13.5.0.0

Oracle ≫ Financial Services Revenue Management And Billing Analytics Version2.7.0.0

Oracle ≫ Financial Services Revenue Management And Billing Analytics Version2.7.0.1

Oracle ≫ Financial Services Revenue Management And Billing Analytics Version2.8.0.0

Oracle ≫ Fusion Middleware Common Libraries And Tools Version12.2.1.4.0

Oracle ≫ Goldengate Version-

Oracle ≫ Healthcare Data Repository Version8.1.0

Oracle ≫ Hyperion Data Relationship Management Version < 11.2.8.0

Oracle ≫ Hyperion Infrastructure Technology Version < 11.2.8.0

Oracle ≫ Identity Management Suite Version12.2.1.3.0

Oracle ≫ Identity Management Suite Version12.2.1.4.0

Oracle ≫ Jdeveloper Version12.2.1.3.0

Oracle ≫ Mysql Enterprise Monitor Version <= 8.0.29

Oracle ≫ Retail Allocation Version14.1.3.2

Oracle ≫ Retail Allocation Version15.0.3.1

Oracle ≫ Retail Allocation Version16.0.3

Oracle ≫ Retail Allocation Version19.0.1

Oracle ≫ Retail Extract Transform And Load Version13.2.5

Oracle ≫ Stream Analytics Version-

Oracle ≫ Timesten Grid Version-

Oracle ≫ Tuxedo Version12.2.2.0.0

Oracle ≫ Utilities Testing Accelerator Version6.0.0.1.1

Oracle ≫ Utilities Testing Accelerator Version6.0.0.2.2

Oracle ≫ Utilities Testing Accelerator Version6.0.0.3.1

Oracle ≫ Weblogic Server Version12.2.1.3.0

Oracle ≫ Weblogic Server Version12.2.1.4.0

Oracle ≫ Weblogic Server Version14.1.1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	72.2%	0.987

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

https://security.gentoo.org/glsa/202209-02

https://www.kb.cert.org/vuls/id/930724

http://www.openwall.com/lists/oss-security/2022/01/18/3

https://access.redhat.com/security/cve/CVE-2021-4104

https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033

https://security.gentoo.org/glsa/202310-16

https://security.gentoo.org/glsa/202312-02

https://security.gentoo.org/glsa/202312-04

https://security.netapp.com/advisory/ntap-20211223-0007/

https://www.cve.org/CVERecord?id=CVE-2021-44228

https://nvd.nist.gov/vuln/detail/CVE-2021-4104

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-4104

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-4104

EUVD