Apache Log4j 2.8.2 Jar Exposes Critical 10.0 CVSS Vulnerabilities in Software Supply Chain

A critical security alert has been triggered for the Apache Log4j library version 2.8.2, exposing systems to two severe vulnerabilities with the highest possible severity rating of 10.0 on the CVSS scale. The findings, flagged in a software dependency scan, indicate a direct and exploitable weakness in a foundational logging component used across countless Java applications worldwide. The exploit maturity for both flaws is rated as 'High,' and the EPSS (Exploit Prediction Scoring System) scores exceed 94%, signaling an imminent and widespread risk of active exploitation.

The vulnerable library, `log4j-core-2.8.2.jar`, is a direct dependency identified in a project's Maven configuration. The primary threat is CVE-2021-44228, a remote code execution vulnerability with a maximum CVSS score of 10.0. A second critical flaw, CVE-2021-45046, carries a CVSS score of 9.0. Both vulnerabilities are present in this specific, outdated version of the Apache Log4j implementation, a ubiquitous logging framework maintained by the Apache Software Foundation.

The immediate pressure is on development and security teams to locate and remediate any instances of this vulnerable library. Patched versions are available, including Log4j core versions 2.3.1, 2.12.2, and 2.15.0 for the first CVE. The presence of these flaws in a core, transitive dependency underscores the persistent and systemic risks within modern software supply chains, where a single vulnerable component can cascade security failures across entire application ecosystems.