Apache Log4j 2.6.1 Jar Contains Critical 10.0 CVSS Vulnerability (CVE-2021-44228)

A critical security scan has flagged the Apache Log4j library version 2.6.1 as containing three severe vulnerabilities, including the infamous Log4Shell flaw with a maximum CVSS score of 10.0. The findings, reported via a GitHub issue, indicate the vulnerable `log4j-core-2.6.1.jar` file is a direct dependency in a project's build path. This version is years out of date and remains exposed to one of the most widespread and exploited software vulnerabilities in recent history.

The scan specifically identifies CVE-2021-44228, which allows remote code execution and has a 94.4% Exploit Prediction Scoring System (EPSS) score, signaling a high probability of active exploitation. Two other critical vulnerabilities, CVE-2017-5645 (CVSS 9.8) and another CVE, are also present in the same library file. While remediation is marked as available—with fixed versions like 2.12.2 and 2.15.0 listed—the persistence of this outdated, vulnerable component in a project's dependency tree represents a significant unpatched risk.

The presence of this jar file highlights a common but dangerous failure in software supply chain hygiene: neglecting to update transitive dependencies. Organizations relying on software built with this version of Log4j face immediate pressure to audit their entire dependency chain, as the exploit maturity for Log4Shell remains high. This finding serves as a stark reminder that legacy vulnerabilities do not disappear and continue to pose a severe threat to application security when left unaddressed.