Vulnerability
Using JMSAppender in log4j configuration may lead to deserialization of untrusted data
### Impact ClickHouse JDBC Bridge uses [slf4j-log4j12 1.7.32](https://repo1.maven.org/maven2/org/slf4j/slf4j-log4j12/1.7.32/), which depends on [log4j 1.2.17](https://repo1.maven.org/maven2/log4j/log4j/1.2.17/). It allows a remote attacker to execute code on the server, if you changed default log4j configuration by adding JMSAppender and an insecure JMS broker. ### Patches The patch version `2.0.7` removed log4j dependency by replacing `slf4j-log4j12` to `slf4j-jdk14`. Logging configuration is also changed from `log4j.properties` to `logging.properties`. ### Workarounds 1. Do NOT change log4j configuration to use JMSAppender along with insecure JMS broker 2. Alternatively, you can issue below command to remove `JMSAppender.class`: ```(bash) # install zip command if you don't have apt-get update && apt-get install -y zip # remove the class zip -d clickhouse-jdbc-bridge*.jar ru/yandex/clickhouse/jdbcbridge/internal/log4j/net/JMSAppender.class ``` ### References Please refer to [CVE-2021-4104](https://access.redhat.com/security/cve/CVE-2021-4104) to read more. ### For more information If you have any questions or comments about this advisory, please feel free to open an issue in the repository.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence