Skip to main content
Skip table of contents

Is Mend Vulnerable to Log4j JMSAppender vulnerability CVE-2021-4104?

On December 16, 2021 the NVD released a Security Vulnerability under the ID: CVE-2021-4104. This CVE description is as follows:

Current Description

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

What specific versions are vulnerable?

What is vulnerable: All log4j versions 1.2.*

What is not vulnerable: log4j-core 2.0^ (best practice is to upgrade to log4j-core 2.17.0 to avoid CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105).

Are Mend offerings vulnerable?

  1. Unified Agent - The Mend Unified Agent is not vulnerable to log4j CVE-2021-4104 at this current time. You are free to use it as needed!

  2. Essentials - The Mend Essentials offering is not vulnerable and safe to use.

  3. Prioritize - The Mend Prioritize offering is not vulnerable and safe to use.

  4. Mend Core - Mend Core is not vulnerable and safe to use.

  5. Artifactory Plugin - The Mend Artifactory Plugin is not vulnerable and safe to use.

  6. Bolt 4 Azure Server - The Mend Bolt 4 Azure Server offering is not vulnerable and safe to use.

  7. AMP Server - The Mend AMP Server is not vulnerable and safe to use.

  8. Mend Plugins - All Mend scanning plugins including Jira Cloud and Server are not vulnerable and safe to use.

  9. WS CLI - The Mend CLI is not vulnerable and safe to use.

  10. Mend Diffend - Mend Diffend is not vulnerable and safe to use.

  11. Mend UI and Dedicated Instances - The Mend UI and all dedicated instances are not vulnerable and therefore safe to use.

  12. IDE Plugins - Our IDE plugins (such as “Advise for <IDE>”) are not vulnerable and safe to use.

  13. Developer Integrations - None of our SCM integrations (hosted and self-hosted) are vulnerable.

  14. Dockerized On-Premise Environment - Our Dockerized On-Premise Environment is not vulnerable.

Frequently Asked Questions

Q: What is Mend’s recommended action to fix CVE-2021-4104 for my own products?

A: Please reference the Mend Vulnerability Database for the latest up-to-date information on how to fix the vulnerability: CVE-2021-4104

Q: Do I need to rescan my projects to detect this vulnerability?

A: No, Mend keeps an up to date list of vulnerabilities in our index, and alerts are automatically applied to a vulnerability after being added to our index.

Q: How can Mend alert me when a vulnerability of this severity is introduced in my project?

A: If you have policies set up on your organization, then Mend will automatically notify you in the case that you are affected by this vulnerability. If you did not have that set up, then you can look in the alerts report for the CVE.

Q: How can Mend automatically mitigate this vulnerability for me?

A: Mend’s tool, Remediate, can be used to automatically remediate vulnerabilities such as this one from a pom.xml, build.gradle or another package manager manifest file. You can learn more about Remediate here: Mend Remediate

Q: How can I tell if this vulnerability is in one of my transitive dependencies?

A: Our inventory report, vulnerability report, and alerts report all will give key information into retrieving all of the necessary information that you will need to determine your next steps in mitigating this vulnerability. To retrieve this report, you can either use the UI, or our Reports API.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.