CVE-2021-4104
📋 TL;DR
CVE-2021-4104 is a deserialization vulnerability in Log4j 1.2's JMSAppender that allows remote code execution when attackers can modify Log4j configuration files. This affects systems running Log4j 1.2 with JMSAppender explicitly enabled, which is not the default configuration. Log4j 1.2 reached end-of-life in 2015, making this particularly dangerous for legacy systems.
💻 Affected Systems
- Apache Log4j
📦 What is this software?
Business Process Management Suite by Oracle
Business Process Management Suite by Oracle
Communications Eagle Ftp Table Base Retrieval by Oracle
View all CVEs affecting Communications Eagle Ftp Table Base Retrieval →
Communications Network Integrity by Oracle
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
E Business Suite Cloud Manager And Cloud Backup Module by Oracle
View all CVEs affecting E Business Suite Cloud Manager And Cloud Backup Module →
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
Fedora by Fedoraproject
Financial Services Revenue Management And Billing Analytics by Oracle
View all CVEs affecting Financial Services Revenue Management And Billing Analytics →
Financial Services Revenue Management And Billing Analytics by Oracle
View all CVEs affecting Financial Services Revenue Management And Billing Analytics →
Financial Services Revenue Management And Billing Analytics by Oracle
View all CVEs affecting Financial Services Revenue Management And Billing Analytics →
Fusion Middleware Common Libraries And Tools by Oracle
View all CVEs affecting Fusion Middleware Common Libraries And Tools →
Hyperion Data Relationship Management by Oracle
View all CVEs affecting Hyperion Data Relationship Management →
Hyperion Infrastructure Technology by Oracle
View all CVEs affecting Hyperion Infrastructure Technology →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Log4j by Apache
Retail Extract Transform And Load by Oracle
Tuxedo by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Limited exploitation due to non-default configuration requirement, but successful attacks result in application compromise and lateral movement.
If Mitigated
No impact if JMSAppender is disabled or proper access controls prevent configuration modification.
🎯 Exploit Status
Exploitation requires write access to Log4j configuration files. Similar exploitation patterns to Log4Shell (CVE-2021-44228) but with additional prerequisites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A - Log4j 1.2 is end-of-life
Vendor Advisory: https://logging.apache.org/log4j/1.2/
Restart Required: Yes
Instructions:
1. Upgrade to Log4j 2.x immediately. 2. Remove Log4j 1.2 from all systems. 3. Restart affected applications after upgrade.
🔧 Temporary Workarounds
Disable JMSAppender
allRemove or comment out JMSAppender configuration from log4j.properties/log4j.xml files
# Remove lines containing 'JMSAppender' from log4j configuration files
# Example: log4j.appender.jms=org.apache.log4j.net.JMSAppender
Remove JMSAppender class
allDelete or restrict access to JMSAppender.class file to prevent loading
rm /path/to/log4j-1.2.x.jar org/apache/log4j/net/JMSAppender.class
# Or use Java security policies to restrict class loading
🧯 If You Can't Patch
- Implement strict file permissions on Log4j configuration files (read-only for application users)
- Use application allowlisting to prevent unauthorized configuration changes
🔍 How to Verify
Check if Vulnerable:
Check log4j configuration files for JMSAppender references and verify Log4j 1.2 version is in useCheck Version:
java -cp log4j-*.jar org.apache.log4j.Help 2>&1 | grep 'log4j version'Verify Fix Applied:
Confirm JMSAppender is removed from configuration and Log4j 2.x is installed📡 Detection & Monitoring
Log Indicators:
- JMSAppender initialization
- JNDI lookups in Log4j context
- Unexpected network connections from logging processes
Network Indicators:
- Outbound LDAP/RMI connections from applications using Log4j
- Unexpected JMS traffic
SIEM Query:
source="*log4j*" AND ("JMSAppender" OR "TopicBindingName" OR "TopicConnectionFactoryBindingName")🔗 References
- http://www.openwall.com/lists/oss-security/2022/01/18/3
- https://access.redhat.com/security/cve/CVE-2021-4104
- https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
- https://security.gentoo.org/glsa/202209-02
- https://security.gentoo.org/glsa/202310-16
- https://security.gentoo.org/glsa/202312-02
- https://security.gentoo.org/glsa/202312-04
- https://security.netapp.com/advisory/ntap-20211223-0007/
- https://www.cve.org/CVERecord?id=CVE-2021-44228
- https://www.kb.cert.org/vuls/id/930724
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://www.openwall.com/lists/oss-security/2022/01/18/3
- https://access.redhat.com/security/cve/CVE-2021-4104
- https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
- https://security.gentoo.org/glsa/202209-02
- https://security.gentoo.org/glsa/202310-16
- https://security.gentoo.org/glsa/202312-02
- https://security.gentoo.org/glsa/202312-04
- https://security.netapp.com/advisory/ntap-20211223-0007/
- https://www.cve.org/CVERecord?id=CVE-2021-44228
- https://www.kb.cert.org/vuls/id/930724
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
