101 matches found
Deserialisation Of Untrusted Object
JMSAppender in log4j is vulnerable to deserialization of untrusted object. When an application is configured to use JMSAppender with the setting TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a", an attacker is able to execu...
SUSE-SU-2021:4097-1 Security update for storm-kit
This update for storm-kit fixes the following issues: - Remove JndiLookup from log4j 2.x jars during build to prevent 'log4shell' code injection. bsc1193641, bsc1193611, CVE-2021-44228 - Remove JMSAppender from log4j 1.2.x jars during build to prevent attacks when JMS is enabled bsc1193641,...
SUSE-SU-2021:4096-1 Security update for storm
This update for storm fixes the following issues: - Remove JndiLookup from log4j 2.x jars during build to prevent 'log4shell' code injection. bsc1193641, bsc1193611, CVE-2021-44228 - Remove JMSAppender from log4j 1.2.x jars during build to prevent attacks when JMS is enabled bsc1193641, bsc119366...
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version numbe...
Apache Log4j allows insecure JNDI lookups
Overview Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j. CISA has published Apache Log4j Vulnerability Guidance and provides a Software List. Description Th...
GHSA-FP5R-V3W9-4333 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
Deserialization of untrusted data
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
CVE-2021-4104 Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
CVE-2021-4104
CVE-2021-4104 affects JMSAppender in Log4j 1.2 when it is explicitly configured to use JMSAppender. A deserialization of untrusted data can occur if an attacker can write Log4j configuration and supply TopicBindingName and TopicConnectionFactoryBindingName, causing JMSAppender to perform JNDI req...
CVE-2021-4104 Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
Security Advisory 0070
Security Advisory 0070 PDF Date: May 20th, 2022 Revision | Date | Changes ---|---|--- 1.6 | May 20th, 2022 | Update CVEs affected release info 1.5 | January 4th, 2022 | Add information about CVE-2021-44832 1.4 | December 21st, 2021 | Add information about CVE-2021-45105 1.3 | December 17th, 2021 ...
BSA-2021-1652
Security Advisory ID : BSA-2021-1652 Component : JMSAppender in Log4j 1.2 Revision : 1.0 CVE-2021-4104 - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and...
Apache Log4j < 2.15.0 Remote Code Execution (Windows)
The version of Apache Log4j on the remote host is 2.x 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JNDI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. Log4j...
Apache Log4j < 2.15.0 Remote Code Execution (Nix)
The version of Apache Log4j on the remote host is 2.x 2.3.1 / 2.4 2.12.2 / 2.13 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute...