If the latest version is not available, Cloudflare has a WAF tweak that can also protect you. You must use a firewall and set the system property "log4j2.formatMsgNoLookups" to "true". or by removing the JndiLookup class from the class path.
Those who use Cloudflare WAF can also take advantage of three new rules that have been developed to mitigate any exploitation efforts:
|100514 (legacy WAF)
6b1cc72dff9746469d4695a474430f12 (new WAF)
|100515 (legacy WAF)
0c054d4e4dd5455c9ff8f01efe5abb10 (new WAF)
|100516 (legacy WAF)
5f6744fa026a4638bda5b3d7d5e015dd (new WAF)
The firewall rules are three and they inspect HTTP headers, body and the address URL respectively.
More details about the vulnerability can be found in the official Log4j security page.
Who is affected
Log4j is a powerful Java-based log library developed by the Apache Software Foundation.