GHSA-3w6p-8f82-gw8r: 
Java vulnerability analysis and mitigation

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. This vulnerability (CVE-2021-4104) was disclosed in December 2021 and affects Log4j 1.2 installations that specifically use JMSAppender configuration. The vulnerability allows attackers to execute remote code through JNDI requests in a similar fashion to CVE-2021-44228 (NIST NVD).

The vulnerability exists in the JMSAppender component of Log4j 1.2, where an attacker can provide malicious TopicBindingName and TopicConnectionFactoryBindingName configurations. These configurations can trigger JNDI requests leading to remote code execution. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NIST NVD).

If successfully exploited, this vulnerability can lead to remote code execution on the affected server. The impact is particularly severe as it affects confidentiality, integrity, and availability of the system, with all three aspects rated as 'High' in the CVSS scoring (NIST NVD).

Several mitigation options are available: 1) Do NOT use JMSAppender in log4j configuration with insecure JMS broker, 2) Remove the JMSAppender.class using the command: zip -d clickhouse-jdbc-bridge*.jar ru/yandex/clickhouse/jdbcbridge/internal/log4j/net/JMSAppender.class, 3) Upgrade to Log4j 2 as Log4j 1.2 reached end of life in August 2015 (GitHub Advisory).