The log4j people have updated their security advisory to say that these
two mitigation measures are not sufficient to protect against the recent
vulnerability:
2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only)
3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment variable
(v2.10+ only)
The current recommended fixes are:
1. upgrade to 2.16.0 (not 2.15.0), or
2. remove the JndiLookup.class file from log4j-core-*.jar
More details on: https://logging.apache.org/log4j/2.x/security.html
Nick
