Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-4104— Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

EPSS 72.20% · P99
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-4104

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
Source: NVD (National Vulnerability Database)
Vulnerability Description
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Log4j 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4j 1.2存在代码问题漏洞,攻击者可利用该漏洞通过JMSApender反序列化来运行代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache Log4j 1.x Apache Log4j 1.2 1.2.x -

II. Public POCs for CVE-2021-4104

#POC DescriptionSource LinkShenlong Link
1log4j 1.x RCE Poc -- CVE-2021-4104https://github.com/cckuailong/log4shell_1.xPOC Details
2Log4j version 1.2.17 without the offending class responsible for CVE-2021-4104.https://github.com/open-AIMS/log4jPOC Details
3Flexnet is susceptible to Log4j JNDI remote code execution. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/other/flexnet-log4j-rce.yamlPOC Details
4Nonehttps://github.com/cuijiung/log4j-CVE-2021-4104POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2021-4104

登录查看更多情报信息。

Same Patch Batch · Apache Software Foundation · 2021-12-14 · 3 CVEs total

CVE-2021-44549SMTPS server hostname not checked when making TLS connection to SMTPS server
CVE-2021-45046Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a de

IV. Related Vulnerabilities

Same product: Apache Log4j 1.x
Same vendor: Apache Software Foundation
Same weakness: CWE-502

V. Comments for CVE-2021-4104

No comments yet

Leave a comment