UPDATE, 12.20.2021: For the latest information on the Log4j cybersecurity threat as it emerges, please see the Cybersecurity & Infrastructure Security Agency (CISA) website.
As an update to the recent post, Critical Zero-Day Java Vulnerability, please be advised that CISA (Cybersecurity & Infrastructure Security Agency) and its partners have setup a webpage to track the widespread exploitation of the RCE (remote code execution) vulnerability dubbed Log4j, and tracked as CVE-2021-44228 (older CVE 2017-5645 and CVE-2019-17571). This vulnerability, which has a severity rating of 10/10, and is currently being exploited, affects Apache Log4j software libraries, versions 2.0-beta9 to 2.14.1. Log4j is otherwise very broadly used in consumer and enterprise services, websites, applications, and operational technology, which logs security and performance information.
In response, CISA has created the following webpage and a GitHub repository of publicly available and vendor supplied information, including an ongoing compilation of affected products and devices. Both will be continually updated.
Admins are reminded to immediately patch this vulnerability by updating to Log4j 2.15.0 or higher, or apply the vendor advised mitigations. Note that log4j 2.16.0 was released yesterday, and it disables the JDNI lookup by default. For more information see the following Apache Change Release History Log.