Apache Log4j 2.8.2 Jar Contains Two Critical Vulnerabilities, Including CVSS 10.0 Exploit

A critical security alert has been flagged for the widely used Apache Log4j logging library. The specific version `log4j-core-2.8.2.jar` contains two severe vulnerabilities, with the highest-rated flaw, CVE-2021-44228, scoring a maximum 10.0 on the CVSS severity scale. This represents an immediate and severe risk to any system or application still utilizing this outdated component, as the exploit maturity for both vulnerabilities is assessed as 'High'.

The vulnerabilities are direct dependencies within the library. The first, CVE-2021-44228 (CVSS 10.0), is the infamous Log4Shell remote code execution flaw. The second, CVE-2021-45046 (CVSS 9.0), is a related critical vulnerability that allows for denial-of-service and potential remote code execution in certain non-default configurations. Both have exceptionally high Exploit Prediction Scoring System (EPSS) percentages, indicating a very high probability of active exploitation in the wild.

Patches and fixed versions have been available for years, including updates to `log4j-core` versions 2.12.2, 2.15.0, and 2.16.0. The continued presence of this vulnerable 2.8.2 version in a project's dependency chain signals a significant unaddressed security debt. Organizations must urgently audit their software supply chains, identify any instances of this or other vulnerable Log4j versions, and apply the available remediation to mitigate the risk of compromise.