...
It should be noted that this vulnerability is fixed in 2.16 The fix in 2.15 was incomplete
**UPDATED on 6th January 2022**
The update in 2.16 was incomplete, those running Java 8 should update to Log4j 2.17.1.
Those running Java 7 should update to 2.12.4, Those running Java 6 should update to 2.3.2.
See the Log4j website at:https://www.cve.org/CVERecord?id=CVE-2021-44228
Log4j – Apache Log4j Security Vulnerabilities
...