Hindsight is 20/20, but with a hook on javax.naming.Context#lookup and a generally useful improvement to the Map instrumentation, Jazzer reliably finds #log4j CVE-2021-44228 in ~5 min with a one-line fuzz target:
log.error(data.consumeRemainingAsString());<p><a href="https://github.com/CodeIntelligenceTesting/jazzer/pull/257" rel="nofollow">https://github.com/CodeIntelligenceTesting/jazzer/pull/257</a>