[sssForm]

Security Advisory

LOG4J - CVE-2021-4104
Published: Friday, January 7th, 2022
Last Update: Friday, January 7th, 2022
Summary

In December 2021, Apache Log4j (logging.apache.org) [1] published security advisories detailing several critical security issues. During the continued investigation it was discovered that Log4j 1.2 was vulnerable to a related issue involving JNDI and JMSAppender. This vulnerability requires JMSAppender to be enabled for a system to be exposed.

For more information on related Log4j issues affecting log4j 2.x see the A10 Networks Security Advisory titled “LOG4J - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105”.

The following vulnerabilities reported by Apache Log4j are addressed in this document.

Item Score
# Vulnerability ID Source Score Summary
1 CVE-2021-4104 CVSS 3.0 8.1 High log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [2]
Affected Releases

The table below indicates the vulnerability status of A10 products for these vulnerabilities. Unless specific models or product software releases are indicated, the vulnerability status should be considered to reflect all product models and software releases.

Product Vulnerability Status
A10 Thunder Not affected
A10 vThunder (Virtual Thunder) Not affected
A10 cThunder (Container Thunder) Not affected
A10 AX Series Not affected
A10 aGalaxy TPS Not affected
A10 aGalaxy ADC Series Not affected
A10 Harmony Controller Not affected
A10 Enterprise License Manager (ELM) Not affected
Releases Affected Releases Resolved or Unaffected
Workarounds and Mitigations

None

Software Updates

Not available

Vulnerability Details

The following table shares brief descriptions for the vulnerabilities addressed in this document.

Vulnerability ID Vulnerability Description
CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Acknowledgements

None

Modification History
Revision Date Description
1.0 Friday, January 7th, 2022

Initial Publication


© Copyright 2022  A10 Networks, Inc. All Rights Reserved.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.


DOWNLOAD PDF


Log4j-CVE-2021-4104