CVE: 2021-4104 found in Apache Log4j - Version: 1.2.17 [JAVA] #836
Description
Veracode Software Composition Analysis
| Attribute | Details |
|---|---|
| Library | Apache Log4j |
| Description | Apache Log4j 1.2 |
| Language | JAVA |
| Vulnerability | Deserialisation Of Untrusted Object |
| Vulnerability description | JMSAppender in log4j is vulnerable to deserialization of untrusted object. When an application is configured to use JMSAppender with the setting TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a", an attacker is able to execute code on the server as in Log4j 2.x CVE-2021-44228. However, this vulnerability is only depending on configuration. Note: This CVE is for Log4j 1.x and its corresponding flaw information for Log4j 2.x is in CVE-2021-44228. |
| CVE | 2021-4104 |
| CVSS score | 6 |
| Vulnerability present in version/s | 1.1.3-1.2.17 |
| Found library version/s | 1.2.17 |
| Vulnerability fixed in version | |
| Library latest version | 1.2.17 |
| Fix | log4j 1.x is End of Life. Its security vulnerabilities will not be fixed. Recommended to upgrade to the latest fix version of Log4j 2. |
Links: