Apache Log4j 2.6.1 Jar Contains Critical 10.0 CVSS Vulnerability (CVE-2021-44228)

A critical security scan has flagged the Apache Log4j library version 2.6.1 as containing multiple severe vulnerabilities, including the infamous Log4Shell flaw rated with a maximum CVSS score of 10.0. The findings, automatically generated from a dependency analysis, reveal that the `log4j-core-2.6.1.jar` file is a direct dependency in a project's build path, exposing any application using it to potential remote code execution. The exploit maturity for the primary vulnerability is assessed as 'High,' with an Exploit Prediction Scoring System (EPSS) probability of 94.4%, indicating a very high likelihood of active exploitation in the wild.

The scan details three specific vulnerabilities within this single library version. The most severe is CVE-2021-44228, the Log4Shell vulnerability, which allows an attacker to execute arbitrary code by exploiting JNDI lookups in log messages. A second critical flaw, CVE-2017-5645, with a CVSS score of 9.8, also permits remote code execution through a specially crafted serialized object. The report confirms that official remediation is available, listing specific patched versions (including 2.12.2 and 2.15.0 for Log4Shell) to which developers must upgrade.

This automated alert underscores the persistent and severe risk posed by outdated, vulnerable dependencies in software supply chains. The presence of such a high-profile, actively exploited vulnerability in a foundational logging library represents a clear and immediate threat to application security. Organizations that have not systematically audited and updated their Log4j dependencies remain at significant risk of compromise, as threat actors continue to scan for and exploit these known weaknesses. The availability of fixes shifts the burden entirely onto development and security teams to prioritize and execute the necessary upgrades.