Apache Log4j 1.2's JMSAppender is vulnerable to deserialization of untrusted data when Log4j 1.2 is specifically configured to use JMSAppender and an attacker can modify the Log4j configuration. By supplying attacker-controlled TopicBindingName and TopicConnectionFactoryBindingName values, the vulnerable component performs JNDI lookups to attacker-controlled resources, which can lead to remote code execution in a manner similar to later Log4Shell-style JNDI exploitation. The issue is not present in default Log4j 1.2 deployments unless JMSAppender is explicitly enabled. Log4j 1.2 is end-of-life and no longer maintained.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a proof-of-concept (PoC) exploit for CVE-2021-4104, a remote code execution vulnerability in Apache Log4j 1.x when configured with JMSAppender and a writable log4j.properties file. The exploit demonstrates how an attacker can leverage a malicious JNDI LDAP endpoint to load a Java class (Evil.java) that executes arbitrary system commands (in this case, launching 'calc'). The repository includes Java source files for the payload (Evil.java), a test harness (Test.java), and configuration files (log4j.properties) that set up the vulnerable logging environment. The attack vector is network-based, requiring the target to connect to attacker-controlled LDAP and JMS endpoints. The PoC is operational but not weaponized, as it requires manual configuration and setup. Notable endpoints include 'tcp://localhost:61616' for JMS and 'ldap://127.0.0.1:1389/any' for JNDI. The repository structure follows a standard Java Maven web application layout, with source, resources, and webapp directories.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Vulnerability referenced by HPE as affecting HPE Telco Universal SLA Management <=4.6; specific technical details not provided in the bulletin excerpt.
A medium-severity vulnerability affecting Log4j version 1.x, mentioned in the vulnerability timeline.
Log4j 1.2 JMSAppender-related vulnerability (non-default configuration) enabling exploitation when JMSAppender is enabled; Log4j 1.2 is end-of-life.
Log4j 1.2 vulnerability in JMSAppender (non-default configuration) that can enable JNDI-based exploitation when JMSAppender is enabled; Log4j 1.2 is EOL.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.