diff --git a/SOURCES/0001-Add-test-case-for-JNDI-disablement.patch b/SOURCES/0001-Add-test-case-for-JNDI-disablement.patch
new file mode 100644
index 0000000..f8ba9f7
--- /dev/null
+++ b/SOURCES/0001-Add-test-case-for-JNDI-disablement.patch
@@ -0,0 +1,123 @@
+From 4c962ce4c1356e94b66a5599a2c32c30eb3369e3 Mon Sep 17 00:00:00 2001
+From: Mikolaj Izdebski <mizdebsk@redhat.com>
+Date: Wed, 15 Dec 2021 17:26:22 +0100
+Subject: [PATCH 1/2] Add test case for JNDI disablement
+
+---
+ tests/build.xml                               | 14 +++++++-
+ tests/input/JNDI0.properties                  |  3 ++
+ tests/input/JNDI1.properties                  |  4 +++
+ .../java/org/apache/log4j/JNDITestCase.java   | 34 +++++++++++++++++++
+ 4 files changed, 54 insertions(+), 1 deletion(-)
+ create mode 100644 tests/input/JNDI0.properties
+ create mode 100644 tests/input/JNDI1.properties
+ create mode 100644 tests/src/java/org/apache/log4j/JNDITestCase.java
+
+diff --git a/tests/build.xml b/tests/build.xml
+index 74a7139d..7cac1424 100644
+--- a/tests/build.xml
++++ b/tests/build.xml
+@@ -38,6 +38,8 @@
+   <property name="activation.jar" location="lib/mail.jar"/>
+   <property name="junit.version" value="3.8.1"/>
+   <property name="junit.jar" location="lib/junit.jar"/>
++  <property name="geronimo-jms.jar"
++         value="lib/jms.jar"/>
+ 
+ 
+   <!-- Read the system environment variables and stores them in properties, -->
+@@ -71,6 +73,7 @@
+     <pathelement location="${junit.jar}"/>
+     <pathelement location="${javamail.jar}"/>
+     <pathelement location="${activation.jar}"/>
++    <pathelement location="${geronimo-jms.jar}"/>
+     <pathelement path="${java.class.path}"/>
+   </path>
+ 
+@@ -158,7 +161,7 @@
+   <!-- ================================================================= -->
+   <!-- Run all tests                                                     -->
+   <!-- ================================================================= -->  
+-  <target name="runAll" depends="regression, longUnit"/>
++  <target name="runAll" depends="regression, longUnit, JNDI"/>
+ 
+   <!-- ================================================================= -->
+   <!-- Tests multiple parts of log4j. These tests are much more fragile  -->
+@@ -262,6 +265,15 @@
+     </junit>
+   </target>
+ 
++  <target name="JNDI" depends="build">
++    <junit printsummary="yes" fork="yes" 
++        haltonfailure="${haltonfailure}"  dir="${basedir}">
++      <classpath refid="tests.classpath"/>
++      <formatter type="plain" usefile="false"/>
++      <test name="org.apache.log4j.JNDITestCase" />
++    </junit>
++  </target>
++
+   <target name="DefaultInit" depends="build">
+     <!-- Delete possible cruft from previous runs. -->
+     <delete file="${basedir}/classes/log4j.xml"/>
+diff --git a/tests/input/JNDI0.properties b/tests/input/JNDI0.properties
+new file mode 100644
+index 00000000..1fd92627
+--- /dev/null
++++ b/tests/input/JNDI0.properties
+@@ -0,0 +1,3 @@
++log4j.rootLogger=DEBUG, testAppender
++log4j.appender.testAppender=org.apache.log4j.net.JMSAppender
++log4j.appender.testAppender.TopicConnectionFactoryBindingName=foo
+diff --git a/tests/input/JNDI1.properties b/tests/input/JNDI1.properties
+new file mode 100644
+index 00000000..28202fed
+--- /dev/null
++++ b/tests/input/JNDI1.properties
+@@ -0,0 +1,4 @@
++log4j.rootLogger=DEBUG, testAppender
++log4j.appender.testAppender=org.apache.log4j.net.JMSAppender
++log4j.appender.testAppender.TopicConnectionFactoryBindingName=foo
++log4j.appender.testAppender.Enabled=true
+diff --git a/tests/src/java/org/apache/log4j/JNDITestCase.java b/tests/src/java/org/apache/log4j/JNDITestCase.java
+new file mode 100644
+index 00000000..6ef8ec90
+--- /dev/null
++++ b/tests/src/java/org/apache/log4j/JNDITestCase.java
+@@ -0,0 +1,34 @@
++package org.apache.log4j;
++
++import junit.framework.TestCase;
++
++/**
++ * Test for JNDI disablement.
++ *
++ * @author Mikolaj Izdebski
++ */
++public class JNDITestCase extends TestCase {
++
++  public JNDITestCase(String name) {
++    super(name);
++  }
++
++  public void tearDown() {
++    LogManager.resetConfiguration();
++  }
++
++  public void testDisabled() throws Exception {
++    Logger logger = Logger.getLogger(JNDITestCase.class);
++    try {
++      PropertyConfigurator.configure("input/JNDI0.properties");
++      fail("IllegalStateException exception was expected");
++    } catch (IllegalStateException e) {
++      assertTrue(e.getMessage().startsWith("JMS appender is disabled"));
++    }
++  }
++
++  public void testEnabled() throws Exception {
++    Logger logger = Logger.getLogger(JNDITestCase.class);
++    PropertyConfigurator.configure("input/JNDI1.properties");
++  }
++}
+-- 
+2.33.1
+
diff --git a/SOURCES/0002-Disable-JNDI-by-default.patch b/SOURCES/0002-Disable-JNDI-by-default.patch
new file mode 100644
index 0000000..0f0a1ca
--- /dev/null
+++ b/SOURCES/0002-Disable-JNDI-by-default.patch
@@ -0,0 +1,62 @@
+From 39b0d64d6e4c72b41eb08bebcf24f2ca861574ec Mon Sep 17 00:00:00 2001
+From: Mikolaj Izdebski <mizdebsk@redhat.com>
+Date: Wed, 15 Dec 2021 16:02:07 +0100
+Subject: [PATCH 2/2] Disable JNDI by default
+
+JNDI, which is used by JMS appender, has significant security issues.
+It is safer for users to disable JMS appender by default,
+especially since the large majority are unlikely to be using it.
+Those who are will need to explicitly enable it, for example:
+
+    log4j.appender.jms=org.apache.log4j.net.JMSAppender
+    log4j.appender.jms.Enabled=true
+
+This is a simillar approach to the one implemented in Log4J 2:
+https://issues.apache.org/jira/browse/LOG4J2-3208
+---
+ .../java/org/apache/log4j/net/JMSAppender.java    | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/main/java/org/apache/log4j/net/JMSAppender.java b/src/main/java/org/apache/log4j/net/JMSAppender.java
+index 3482702d..564da0c5 100644
+--- a/src/main/java/org/apache/log4j/net/JMSAppender.java
++++ b/src/main/java/org/apache/log4j/net/JMSAppender.java
+@@ -101,6 +101,7 @@ import java.util.Properties;
+    @author Ceki G&uuml;lc&uuml; */
+ public class JMSAppender extends AppenderSkeleton {
+ 
++  boolean enabled;
+   String securityPrincipalName;
+   String securityCredentials;
+   String initialContextFactoryName;
+@@ -120,6 +121,16 @@ public class JMSAppender extends AppenderSkeleton {
+   JMSAppender() {
+   }
+ 
++  public
++  void setEnabled(boolean enabled) {
++    this.enabled = enabled;
++  }
++
++  public
++  boolean getEnabled() {
++    return enabled;
++  }
++
+   /**
+      The <b>TopicConnectionFactoryBindingName</b> option takes a
+      string value. Its value will be used to lookup the appropriate
+@@ -170,6 +181,10 @@ public class JMSAppender extends AppenderSkeleton {
+    *  Options are activated and become effective only after calling
+    *  this method.*/
+   public void activateOptions() {
++    if (!enabled) {
++      throw new IllegalStateException("JMS appender is disabled by default and must be enabled by setting Enabled=true property of the appender");
++    }
++
+     TopicConnectionFactory  topicConnectionFactory;
+ 
+     try {
+-- 
+2.33.1
+
diff --git a/SPECS/log4j.spec b/SPECS/log4j.spec
index e22f05e..6a2f06b 100644
--- a/SPECS/log4j.spec
+++ b/SPECS/log4j.spec
@@ -3,7 +3,7 @@
 
 Name:           log4j
 Version:        1.2.17
-Release:        16%{?dist}
+Release:        17%{?dist}
 Epoch:          0
 Summary:        Java logging package
 BuildArch:      noarch
@@ -24,6 +24,8 @@ Patch3:         0010-Fix-javadoc-link.patch
 Patch4:         0011-Remove-openejb.patch
 Patch5:         0012-Add-proper-bundle-symbolicname.patch
 Patch6:         0001-Backport-fix-for-CVE-2017-5645.patch
+Patch7:         0001-Add-test-case-for-JNDI-disablement.patch
+Patch8:         0002-Disable-JNDI-by-default.patch
 
 BuildRequires:  %{__perl}
 BuildRequires:  maven-local
@@ -61,6 +63,8 @@ Summary:        API documentation for %{name}
 %patch4 -p1 -b .openejb
 %patch5 -p1 -b .bundlename
 %patch6 -p1 -b .cve-2017-5645
+%patch7 -p1 -b .log4shell
+%patch8 -p1 -b .log4shell
 %pom_remove_plugin :maven-site-plugin
 
 sed -i "s|groupId>ant<|groupId>org.apache.ant<|g" pom.xml
@@ -84,6 +88,7 @@ mkdir -p tests/lib/
   ln -s `build-classpath jakarta-oro`
   ln -s `build-classpath javamail/mail`
   ln -s `build-classpath junit`
+  ln -s `build-classpath jms`
 )
 
 
@@ -165,6 +170,10 @@ fi
 
 
 %changelog
+* Wed Dec 15 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 0:1.2.17-17
+- Fix remote code execution vulnerability
+- Resolves: CVE-2021-4104
+
 * Tue Jul 11 2017 Mikolaj Izdebski <mizdebsk@redhat.com> - 0:1.2.17-16
 - Fix socket receiver deserialization vulnerability
 - Resolves: CVE-2017-5645