oss-sec mailing list archives

CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

From: Ralph Goers <rgoers () apache org>
Date: Mon, 13 Dec 2021 16:10:57 +0000

Description:

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the 
Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations 
causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to 
CVE-2021-44228.  

Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.

Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other 
issues from the previous versions.

References:

https://www.cve.org/CVERecord?id=CVE-2021-44228
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
https://access.redhat.com/security/cve/CVE-2021-4104

Current thread:

CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2 Ralph Goers (Dec 13)
- Re: CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2 Moritz Bechler (Dec 13)