Apache Log4j 2.15.0 Jar Contains 5 Critical Vulnerabilities, Including a CVSS 9.0 Flaw

A critical security scan has flagged the Apache Log4j 2.15.0 library as containing five distinct vulnerabilities, with the most severe scoring a maximum CVSS rating of 9.0. This finding, reported via a GitHub issue, indicates that a widely used version of the ubiquitous Java logging framework remains dangerously exposed, despite being a patch release intended to address the infamous Log4Shell crisis. The vulnerable library, `log4j-core-2.15.0.jar`, was identified within a project's dependency file, highlighting how easily outdated and insecure versions can persist in software supply chains. The primary vulnerability, tracked as CVE-2021-45046, is classified as Critical. This specific CVE is a known follow-on flaw from the original Log4Shell (CVE-2021-44228) that was not fully mitigated in the initial 2.15.0 patch. The presence of this and four other vulnerabilities in a single JAR file creates a compounded risk for any application or server still relying on this specific version. The scan results explicitly show that remediation is possible by upgrading to a later, fixed version of `log4j-core`. This report serves as a stark reminder that the Log4j incident is not a single-event breach but an ongoing remediation challenge. Organizations that hastily applied the 2.15.0 patch in late 2021 may be operating under a false sense of security. The persistence of this vulnerable version in active codebases continues to pose a significant threat, enabling potential remote code execution and leaving critical infrastructure, enterprise applications, and cloud services exposed to exploitation. Continuous dependency scanning and immediate upgrade to version 2.17.0 or later is the only definitive mitigation.