CVE: 2021-4104 found in Apache Log4j - Version: 1.2.17 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache Log4j
Description	Apache Log4j 1.2
Language	JAVA
Vulnerability	Deserialisation Of Untrusted Object
Vulnerability description	JMSAppender in log4j is vulnerable to deserialization of untrusted object. When an application is configured to use JMSAppender with the setting TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a", an attacker is able to execute code on the server as in Log4j 2.x CVE-2021-44228. However, this vulnerability is only depending on configuration. Note: This CVE is for Log4j 1.x and its corresponding flaw information for Log4j 2.x is in CVE-2021-44228.
CVE	2021-4104
CVSS score	6
Vulnerability present in version/s	1.1.3-1.2.17
Found library version/s	1.2.17
Vulnerability fixed in version
Library latest version	1.2.17
Fix	log4j 1.x is End of Life. Its security vulnerabilities will not be fixed. Recommended to upgrade to the latest fix version of Log4j 2.

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/163?version=1.2.17
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/33348
• Patch:

[github-actions[bot]]

Veracode issue link to PR: https://github.com/5l1D3R/Github-actions/pull/2