Apache Log4j 2.6.1 Jar Contains Critical 10.0 CVSS Vulnerability (CVE-2021-44228)

A critical security scan has flagged the Apache Log4j library version 2.6.1 as containing three severe vulnerabilities, including the infamous Log4Shell flaw with a maximum CVSS severity score of 10.0. This finding indicates that software projects still relying on this outdated version are actively exposed to one of the most dangerous and widely exploited remote code execution vulnerabilities in recent history. The exploit maturity for CVE-2021-44228 is rated as 'High,' and the EPSS score of 94.4% signals an extremely high probability of exploitation attempts in the wild.

The vulnerable library, `log4j-core-2.6.1.jar`, is a direct dependency. The scan identifies two other critical flaws: CVE-2017-5645 (CVSS 9.8) and another unspecified vulnerability. The presence of these multiple critical issues in a single, outdated component creates a compounded security risk. While remediation is marked as available, with fixed versions listed for each CVE, the persistence of this version in a project's dependency tree reveals a significant operational security gap.

This report serves as a direct warning for development and security teams. The Log4Shell vulnerability (CVE-2021-44228) allows unauthenticated remote attackers to execute arbitrary code on affected systems, leading to potential complete system compromise. The high EPSS scores across all listed vulnerabilities underscore an urgent need for immediate patching. Organizations failing to upgrade from log4j-core 2.6.1 are leaving their applications and infrastructure open to severe, automated attacks.