{"id":"CVE-2021-4104","details":"JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.","aliases":["GHSA-fp5r-v3w9-4333"],"modified":"2026-04-16T00:00:54.628951897Z","published":"2021-12-14T12:15:12.200Z","related":["ALSA-2022:0290","SUSE-SU-2021:14866-1","SUSE-SU-2021:4096-1","SUSE-SU-2021:4097-1","SUSE-SU-2021:4111-1","SUSE-SU-2021:4112-1","SUSE-SU-2021:4115-1","SUSE-SU-2021:4160-1","SUSE-SU-2021:4190-1","SUSE-SU-2022:0126-1","SUSE-SU-2022:0133-1","SUSE-SU-2022:0354-1","SUSE-SU-2022:0355-1","openSUSE-SU-2021:1612-1","openSUSE-SU-2021:1631-1","openSUSE-SU-2021:4111-1","openSUSE-SU-2021:4112-1","openSUSE-SU-2022:0038-1","openSUSE-SU-2024:11681-1","openSUSE-SU-2024:11682-1","openSUSE-SU-2024:11696-1"],"references":[{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2021-44228"},{"type":"WEB","url":"https://www.kb.cert.org/vuls/id/930724"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2022/01/18/3"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2021-4104"},{"type":"WEB","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202209-02"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202312-02"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202312-04"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211223-0007/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202310-16"},{"type":"FIX","url":"https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"4.7"}]},{"events":[{"introduced":"0"},{"last_affected":"4.8"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.9.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.5"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.6"}]},{"events":[{"introduced":"0"},{"fixed":"12.0.0.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.2.1.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.5.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.8.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.8.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.29"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2.5"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0.2.2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-4104.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}