Cyber Resilience

CVE-2021-4104

HighRCEUpdated

Published: 14 December 2021

Published
14 December 2021
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7220 98.8th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-4104 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Communications Unified Inventory Management. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code…

more

execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
log4j
1.2
fedoraproject
fedora
35
redhat
codeready studio
12.0
redhat
integration camel k
all versions
redhat
integration camel quarkus
all versions
redhat
jboss a-mq
6.0.0, 7
redhat
jboss a-mq streaming
all versions
redhat
jboss data grid
7.0.0
redhat
jboss data virtualization
6.0.0
redhat
jboss enterprise application platform
6.0.0, 7.0
+36 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References