For those who have not yet seen it, this
advisory from Apache describes a nasty vulnerability in the widely used
Log4j package.
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log
messages, and parameters do not protect against attacker controlled
LDAP and other JNDI related endpoints. An attacker who can control
log messages or log message parameters can execute arbitrary code
loaded from LDAP servers when message lookup substitution is
enabled. From log4j 2.15.0, this behavior has been disabled by
default.
Updating this package is, of course, necessary, but that will only help so
much; it is bundled into a lot of other deployed products.
For more information see
this
Ars Technica article or, for desperate cases,
the Logout4Shell
utility.