## Shop Module Exposed: Critical Log4j Vulnerabilities (CVE-2021-44228, CVE-2017-5645) Require Immediate Patching
A critical security remediation has exposed a shop module running on a dangerously outdated and vulnerable version of Apache Log4j. The module was found to be using log4j-core version 2.6.1, a version susceptible to multiple severe, actively exploited vulnerabilities, including the infamous Log4Shell (CVE-2021-44228). This left the system open to remote code execution and deserialization attacks, posing a severe risk of compromise.

The specific vulnerabilities addressed are CVE-2021-44228 (Log4Shell), CVE-2021-45046 (an incomplete fix for Log4Shell), and CVE-2017-5645, a critical deserialization flaw. All three carry a 'Critical' severity rating. The fix involved upgrading the dependencies for `org.apache.logging.log4j:log4j-core` and `log4j-api` from the vulnerable 2.6.1 to the patched version 2.24.3, as documented in a modified `shop/pom.xml` file. The presence of such old, known-critical flaws in a production module signals a significant lapse in dependency management and security posture.

This incident underscores the persistent and widespread risk posed by unpatched Log4j instances years after the initial Log4Shell disclosure. For any organization, the discovery of such a vulnerable component in a business-critical 'shop' module necessitates an immediate audit of all software dependencies. The remediation, while straightforward, highlights the operational pressure and scrutiny faced by development and security teams to identify and eliminate these deeply embedded security debts before they are exploited.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, log4j, CVE-2021-44228, dependency management
- **Credibility**: unverified
- **Published**: 2026-04-21 00:22:39
- **ID**: 73227
- **URL**: https://whisperx.ai/en/intel/73227