CVE-2021-4104

Name of the Vulnerable Software and Affected Versions Log4j version 1.2

Description The issue is related to the JMSAppender in Log4j 1.2, which is vulnerable to deserialization of untrusted data. An attacker with write access to the Log4j configuration can provide TopicBindingName and TopicConnectionFactoryBindingName configurations, causing JMSAppender to perform JNDI requests that result in remote code execution. This issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015.

Recommendations For Log4j version 1.2, upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. As a temporary workaround, consider disabling the JMSAppender until a patch is available. Restrict access to the JMSAppender configuration to minimize the risk of exploitation. Avoid using the TopicBindingName and TopicConnectionFactoryBindingName configurations in the affected Log4j configuration until the issue is resolved.