What is CVE-2021-4104?

CVE-2021-4104 is a high-severity vulnerability affecting Apache Log4j 1.2, allowing for remote code execution via deserialization of untrusted data. Immediate remediation is essential to prevent exploitation.

What is the severity of CVE-2021-4104?

CVE-2021-4104 has a severity rating of HIGH with a CVSS base score of 7.5.

CVE-2021-4104 | High Vulnerability in Apache Log4j

CVE-2021-4104 is a high-severity vulnerability found in Apache Log4j 1.2, specifically within the JMSAppender component. This vulnerability allows deserialization of untrusted data when an attacker has write access to the Log4j configuration. By manipulating configurations, such as TopicBindingName and TopicConnectionFactoryBindingName, attackers can provoke JMSAppender to perform JNDI requests, leading to remote code execution. This mirrors the exploitation vector of CVE-2021-44228.

The severity of this vulnerability is rated high, with a CVSS score of 7.5. This score indicates a significant risk to organizations, especially those still utilizing Log4j 1.2, which reached end of life in August 2015. Organizations must recognize the potential impact of this vulnerability, as it allows for full control over affected systems if exploited.

Given the serious implications, organizations should prioritize patching immediately. Users are strongly encouraged to upgrade to Log4j 2, which resolves this and numerous other issues. The known exploitation status of this vulnerability suggests that proactive measures are necessary to prevent potential attacks.

Organizations should evaluate their use of Log4j and assess the configurations to mitigate the risk associated with this vulnerability.

Vulnerability Details

The CVE description explicitly identifies the vulnerability as related to the JMSAppender in Log4j 1.2, allowing attackers to perform JNDI requests that can lead to remote code execution. The CVSS score indicates a high level of risk with potential impacts on confidentiality, integrity, and availability.

The affected product, Apache Log4j 1.2, has been discontinued, making it critical for organizations to transition to the newer Log4j 2 version to avoid these vulnerabilities.

Technical Analysis

The root cause of this vulnerability lies in the deserialization process used within the JMSAppender component. Attackers can exploit weak configurations to execute arbitrary code on the server hosting the vulnerable Log4j instance.

The attack vector is primarily network-based, requiring low privileges and no user interaction, making it particularly dangerous. The potential impacts extend to confidentiality, integrity, and availability, all rated as high.

Risk & Impact Analysis

Risk to organizations includes significant exposure to unauthorized remote code execution, which can lead to data breaches, loss of sensitive information, and potential disruption of services. The blast radius of such an attack could affect not just the vulnerable systems but also connected infrastructure.

Organizations should assess their deployment of Log4j 1.2 and prioritize migration to Log4j 2, especially given the high CVSS score and the known exploitation potential.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of Apache Log4j 1.2, particularly when configured to use JMSAppender. Organizations using Log4j should consider transitioning to Log4j 2 to mitigate risks associated with this vulnerability.

Mitigation & Remediation

Organizations should upgrade to Log4j 2 to address this vulnerability effectively. If immediate upgrading is not feasible, restricting write access to Log4j configuration files and disabling JMSAppender can act as a temporary workaround.

Additionally, organizations should implement configuration hardening and monitor systems for unusual behavior. For a more in-depth look at security practices, organizations can refer to our application security assessment guidelines.

Detection Guidance

Organizations should monitor for abnormal log entries that indicate exploitation attempts. Log indications might include errors related to JNDI lookups or unexpected connections to external resources.

Behavioral anomalies in the application, such as unexpected data access patterns, can also signal potential exploitation.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2021-4104 lies in its representation of the ongoing vulnerabilities within legacy software components. As organizations increasingly rely on older libraries, the risks escalate, making vigilance and timely updates crucial.

Security teams should watch for patterns indicating similar vulnerabilities in other components, emphasizing the need for robust dependency management.

For further insights on managing vulnerabilities, organizations can explore our resources on vulnerability management programs and our penetration testing methodology best practices.

By staying informed and proactive, organizations can significantly reduce their exposure to vulnerabilities like CVE-2021-4104.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2021-4104: High Vulnerability in Apache Log4j