CVE-2021-4104

Aliases:GHSA-fp5r-v3w9-4333

Advisory lineage Upstream: 0 Downstream: 43

Downstream

DEBIAN-CVE-2021-4104 DLA-2905-1 MGASA-2023-0141 OPENSUSE-SU-2021:1612-1 OPENSUSE-SU-2021:1631-1 OPENSUSE-SU-2021:4111-1

Modified

Published: 14 Dec 2021, 00:00

Last modified:28 May 2026, 19:53

Vulnerability Summary

Overall Risk (default)

medium

44/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

72.2% CRITICAL

72% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

14 Dec 2021, 00:00

Published

Vulnerability first disclosed

28 May 2026, 19:53

Last Modified

Vulnerability information updated

Description

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 6AV:N/AC:M/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 72.20%• Percentile: 99%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

apache software foundation•apache log4j 1.x
Apache Log4j 1.2 1.2.x
apache•log4j
1.2
fedoraproject•fedora
35
log4j•log4j
≥ 1.2.0, ≤ 1.2.17
org.zenframework.z8.dependencies.commons•log4j-1.2.17
≤ 2.0
oracle•advanced_supply_chain_planning
12.1 | 12.2
oracle•business_intelligence
5.9.0.0.0 | 12.2.1.3.0 | 12.2.1.4.0
oracle•business_process_management_suite
12.2.1.3.0 | 12.2.1.4.0
oracle•communications_eagle_ftp_table_base_retrieval
4.5
oracle•communications_messaging_server
8.1
oracle•communications_network_integrity
7.3.6
oracle•communications_offline_mediation_controller
< 12.0.0.4.0 | 12.0.0.5.0
oracle•communications_unified_inventory_management
7.3.4 | 7.3.5 | 7.4.1 | 7.4.2
oracle•e-business_suite_cloud_manager_and_cloud_backup_module
2.2.1.1.1
oracle•enterprise_manager_base_platform
13.4.0.0 | 13.5.0.0
oracle•financial_services_revenue_management_and_billing_analytics
2.7.0.0 | 2.7.0.1 | 2.8.0.0
oracle•fusion_middleware_common_libraries_and_tools
12.2.1.4.0
oracle•goldengate
na
oracle•healthcare_data_repository
8.1.0
oracle•hyperion_data_relationship_management
< 11.2.8.0
oracle•hyperion_infrastructure_technology
< 11.2.8.0
oracle•identity_management_suite
12.2.1.3.0 | 12.2.1.4.0
oracle•jdeveloper
12.2.1.3.0
oracle•mysql_enterprise_monitor
≤ 8.0.29
oracle•retail_allocation
14.1.3.2 | 15.0.3.1 | 16.0.3 | 19.0.1
oracle•retail_extract_transform_and_load
13.2.5
oracle•stream_analytics
na
oracle•timesten_grid
na
oracle•tuxedo
12.2.2.0.0
oracle•utilities_testing_accelerator
6.0.0.1.1 | 6.0.0.2.2 | 6.0.0.3.1
Unknown•WebLogic Server
12.2.1.3.0 | 12.2.1.4.0 | 14.1.1.0.0
redhat•codeready_studio
12.0
redhat•enterprise_linux
6.0 | 7.0 | 8.0
redhat•integration_camel_k
na
redhat•integration_camel_quarkus
na
redhat•jboss_a-mq
6.0.0 | 7
redhat•jboss_a-mq_streaming
na
redhat•jboss_data_grid
7.0.0
redhat•jboss_data_virtualization
6.0.0
redhat•jboss_enterprise_application_platform
6.0.0 | 7.0
redhat•jboss_fuse
6.0.0 | 7.0.0
redhat•jboss_fuse_service_works
6.0
redhat•jboss_operations_network
3.0
redhat•jboss_web_server
3.0
redhat•openshift_application_runtimes
na
redhat•openshift_container_platform
4.6 | 4.7 | 4.8
redhat•process_automation
7.0
redhat•single_sign-on
7.0
redhat•software_collections
na