JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2021-4104
Score 7.5 from GitHub Security Advisory (severity: HIGH) published 2021-12-14. NVD baseline CVSS 7.5; sources differ by 0.0.
- High exploitation likelihood — EPSS 81%
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 7.5(medium)
- EPSS
- 99.6%
- KEV
- Not listed
Published
December 14, 2021
Last Modified
May 28, 2026
Advisory Details (10)
Auto-updated May 29, 2026Arduino: Remote Code Execution (GLSA 202312-04) — Gentoo security
https://security.gentoo.org/glsa/202312-04Minecraft Server: Remote Code Execution (GLSA 202312-02) — Gentoo security
https://security.gentoo.org/glsa/202312-02Ubiquiti UniFi: remote code execution via bundled log4j (GLSA 202310-16) — Gentoo security
https://security.gentoo.org/glsa/202310-16IBM Spectrum Protect: Multiple Vulnerabilities (GLSA 202209-02) — Gentoo security
https://security.gentoo.org/glsa/202209-02Restrict LDAP access via JNDI
Patch available: apache/logging-log4j2 rel/2.21.0 (PR #608 merged 2021-12-05)
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126oss-security - CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
http://www.openwall.com/lists/oss-security/2022/01/18/3Vendor Advisories for CVE-2021-4104(20)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2024:10207Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.11 Security update
- RHSA-2024:5856Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update
- RHSA-2022:5460Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update
- RHSA-2022:5459Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update
- RHSA-2022:5458Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update
- RHSA-2022:1299Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:1297Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:1296Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- +12 more
Patch Availability(23)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(2 across 1 ecosystem)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| log4j:log4j | 1.2.11 ... 1.2.9 (13 versions) | — | — |
| org.zenframework.z8.dependencies.commons:log4j-1.2.17 | 2.0 | — | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(19)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2021:5107MODERATE2021-12-10
RHSA-2021:5107 — Moderate
- Red HatRHSA-2021:5141MODERATE2021-12-10
RHSA-2021:5141 — Moderate
- Red HatRHSA-2021:5148MODERATE2021-12-10
RHSA-2021:5148 — Moderate
- Red HatRHSA-2021:5183MODERATE2021-12-10
RHSA-2021:5183 — Moderate
- Red HatRHSA-2021:5184MODERATE2021-12-10
RHSA-2021:5184 — Moderate
- Red HatRHSA-2021:5186MODERATE2021-12-10
RHSA-2021:5186 — Moderate
- Red HatRHSA-2021:5206MODERATE2021-12-10
RHSA-2021:5206 — Moderate
- Red HatRHSA-2021:5269MODERATE2021-12-10
RHSA-2021:5269 — Moderate
- Red HatRHSA-2022:0289MODERATE2021-12-10
RHSA-2022:0289 — Moderate
- Red HatRHSA-2022:0290MODERATE2021-12-10
RHSA-2022:0290 — Moderate
- Red HatRHSA-2022:0291MODERATE2021-12-10
RHSA-2022:0291 — Moderate
- Red HatRHSA-2022:0294MODERATE2021-12-10
RHSA-2022:0294 — Moderate
- Red HatRHSA-2022:0430MODERATE2021-12-10
RHSA-2022:0430 — Moderate
- Red HatRHSA-2022:0435MODERATE2021-12-10
RHSA-2022:0435 — Moderate
- Red HatRHSA-2022:0436MODERATE2021-12-10
RHSA-2022:0436 — Moderate
- Red HatRHSA-2022:0437MODERATE2021-12-10
RHSA-2022:0437 — Moderate
- Red HatRHSA-2022:0438MODERATE2021-12-10
RHSA-2022:0438 — Moderate
- Red HatRHSA-2022:0444MODERATE2021-12-10
RHSA-2022:0444 — Moderate
- Red HatRHSA-2022:0446MODERATE2021-12-10
RHSA-2022:0446 — Moderate
Data Freshness Timeline
(refreshed 3× in last 7d / 25× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-09 19:07 UTCEPSS rescore
- 2026-07-09 19:07 UTCEPSS rescore
- 2026-07-07 13:43 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-01 15:04 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 02:30 UTCOSV refresh
- 2026-06-28 14:05 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 15:10 UTCOSV refresh
Show 18 moreShow fewer
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-26 06:27 UTCEG score recompute
- 2026-05-26 06:27 UTCVendor advisory
- 2026-05-26 06:27 UTCGHSA enrichment
- 2026-05-25 10:46 UTCOSV refresh
Publicly available exploits
(1 reference)Working exploit code is in the public domain (1 GitHub PoC). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCcckuailong/log4shell_1.xFirst seen Dec 14, 2021
log4j 1.x RCE Poc -- CVE-2021-4104
Open source ↗
Frequently asked(5)
What is CVE-2021-4104?
When was CVE-2021-4104 disclosed?
Is CVE-2021-4104 actively exploited?
What is the CVSS score of CVE-2021-4104?
How do I remediate CVE-2021-4104?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-4104
Is Your Infrastructure Affected by CVE-2021-4104?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.