Deserialization of Untrusted Data in Apache Log4j - CVE-2021-4104
Published: December 15, 2021 / Updated: April 15, 2022
Vulnerability identifier: #VU58977
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-4104
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Log4j
Apache Log4j
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in JMSAppender, when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution.
Note this issue only affects Log4j 1.2 when specifically configured to
use JMSAppender, which is not the default.
Remediation
Install updates from vendor's website.