Apache Log4j 2.6.1 Jar Contains Critical 10.0 CVSS Vulnerability (CVE-2021-44228)

A critical security scan reveals that the widely used Apache Log4j library version 2.6.1 contains three severe vulnerabilities, including the infamous Log4Shell flaw rated with a maximum CVSS score of 10.0. This finding indicates that systems still relying on this outdated version remain actively exposed to remote code execution attacks, with exploit maturity assessed as 'High' and an EPSS score of 94.4%. The presence of this specific jar file in a project's dependency path serves as a direct and urgent signal of compromise risk.

The vulnerable component, `log4j-core-2.6.1.jar`, is a direct dependency in the scanned environment. Alongside CVE-2021-44228 (Log4Shell), the scan also flags CVE-2017-5645, another critical vulnerability with a CVSS score of 9.8. Both findings are classified as 'Direct' library types, meaning the vulnerable code is directly included in the application. Remediation is technically available, with fixed versions explicitly listed for each CVE, including upgrades to log4j-core versions 2.12.2 or 2.15.0 to address the Log4Shell flaw.

This report underscores a persistent and severe operational security failure. The continued use of such a legacy and vulnerable version, years after patches were released, exposes the hosting organization to significant risk. The high EPSS percentages for both critical CVEs indicate a high probability of exploitation attempts in the wild. For any development or security team, this finding demands immediate priority action to update the dependency, as the exposed system is a prime target for automated and targeted attacks aiming for complete server control.