Apache Software Foundation reports:
It was found that the fix to address CVE-2021-44228 in Apache
Log4j 2.15.0 was incomplete in certain non-default
configurations. This could allows attackers with control over
Thread Context Map (MDC) input data when the logging
configuration uses a non-default Pattern Layout with either a
Context Lookup (for example, $${ctx:loginId}) or a Thread
Context Map pattern (%X, %mdc, or %MDC) to craft malicious input
data using a JNDI Lookup pattern resulting in a denial of
service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt
to restrict JNDI LDAP lookups to localhost by default. Log4j
2.16.0 fixes this issue by removing support for message lookup
patterns and disabling JNDI functionality by default.