Is CVE-2021-4104 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 81%.

What products does CVE-2021-4104 affect?

Tracked products affected include JBoss. Check the version you run to see whether it is affected.

How do I fix CVE-2021-4104?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2021-4104

Q: What is CVE-2021-4104?

CVE-2021-4104 is a high-severity software vulnerability (Insecure deserialization) with a CVSS score of 7.5. JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causin

HIGH severity · CVSS 7.5 · Insecure deserialization

7.5CVSS HIGH

Summary

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)81%

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

JBoss

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

CVE-2021-4104

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information