A new version of Log4j with 2.16.0 has been released to address the JNDI issue to further prevent the CVE-2021-44228 permanently.
While release 2.15.0 removed the ability to resolve Lookups and log messages and addressed issues with how JNDI is accessed, the Log4j team feels that having JNDI enabled by default introduces an undue risk for users. Starting in version 2.16.0, JNDI functionality is disabled by default and can be re-enabled via log4j2.enableJndi system property. Use of JNDI in an unprotected context is a large security risk and should be treated as such in both library and all other Java libraries using JNDI.
Prior to version 2.15.0, Log4j would automatically resolve Lookups contained in the message or its parameters in the Pattern Layout. This behaviour is no longer the default and must be enabled by specifying %msf{lookup}.
You may go through my earlier links to know more about the Log4j Vulnerability and its remediation in detail: https://santhoshponnam.com/index.php/2021/12/11/log4j-rce-vulnerability/
More Information can be found at : https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4