Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x CVE-2021-44228 and Red Hat has assessed this to be Moderate severity.
Note this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker’s JMS Broker.
If the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker’s control.
These are the possible mitigations for this flaw for releases version 1.x:
– Comment out or remove JMSAppender in the Log4j configuration if it is used
– Remove the JMSAppender class from the classpath. For example:
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
– Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.