CVE-2021-4104: 
IBM Db2 vulnerability analysis and mitigation

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The vulnerability (CVE-2021-4104) was disclosed in December 2021. The vulnerability affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default configuration. Apache Log4j 1.2 reached end of life in August 2015 (NVD).

The vulnerability allows an attacker with write access to the Log4j configuration to provide TopicBindingName and TopicConnectionFactoryBindingName configurations, causing JMSAppender to perform JNDI requests that can result in remote code execution, similar to CVE-2021-44228. The CVSS v3.1 base score is 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

A successful exploitation could lead to remote code execution with the privileges of the vulnerable Java application using Log4j. The vulnerability requires write access to the Log4j configuration file and specific configuration of JMSAppender to be exploitable (NVD).

Since Log4j 1.x has reached end of life, the primary mitigation is to upgrade to Log4j 2. For systems that cannot be upgraded immediately, the following mitigations are recommended: 1) Do not use JMSAppender in the Log4j configuration, 2) Remove the JMSAppender class file (org/apache/log4j/net/JMSAppender.class), or 3) Limit OS user access to prevent modification of the Log4j configuration (NVD).

The vulnerability received less attention compared to CVE-2021-44228 (Log4Shell) due to its limited scope and specific exploitation requirements. However, it highlighted the importance of upgrading from end-of-life software versions and maintaining secure configurations (Tenable Blog).