Apache Log4j 2.6.1 Contains Three Critical Vulnerabilities, Including最高Severity CVE-2021-44228 (CVSS 10.0)

A security scan of project dependencies has flagged log4j-core-2.6.1.jar as harboring three critical vulnerabilities, with the highest reaching a CVSS score of 10.0—the maximum possible severity rating. The most dangerous flaw, CVE-2021-44228 (widely known as Log4Shell), carries an exploit probability of 94.358% and has reached "High" exploit maturity, indicating weaponized proof-of-concept code is actively circulating. A second critical flaw, CVE-2017-5645, scored 9.8 on the CVSS scale with a 94.013% probability of active exploitation. A third vulnerability, CVE-2021-45046, is also present in the affected library. All three are direct dependencies in the project's Maven configuration.

Apache Log4j is among the most widely deployed logging libraries across enterprise Java applications, which amplifies the exposure surface considerably. The vulnerability chain allows unauthenticated remote code execution through specially crafted log entries—a class of attack that permits full system compromise without credentials. Organizations running this library version face immediate risk of targeted intrusion, cryptomining deployment, or lateral movement within internal networks. The library path traces back to the central pom.xml dependency manifest, confirming this is not a transitive issue but a direct inclusion.

Patched versions are available: org.apache.logging.log4j:log4j-core versions 2.3.1, 2.12.2, or 2.15.0 resolve all three identified vulnerabilities. The Pax Logging variant also receives corresponding fixes in versions 1.11.10 and 2.0.11. Security teams should prioritize patching given the combination of maximum severity, high exploit probability, and widespread library adoption across cloud infrastructure and web-facing applications.