Further details on the most relevant part here: <a href="https://github.com/apache/logging-log4j2/pull/608#issuecomment-993469509" rel="nofollow">https://github.com/apache/logging-log4j2/pull/608#issuecomme...</a><p>Applications using log4j pattern layouts including `${ctx:...}` lookups with versions < 2.15 will remain vulnerable to RCE/DNS infoleaks regardless of the `-Dlog4j2.formatMsgNoLookups=true` mitigation, if the attacker can control any of the `org.apache.logging.log4j.ThreadContext` values used in the configured context lookups. Do not rely on the `-Dlog4j2.formatMsgNoLookups=true` mitigation unless you are certain that the application is not using any attacker-controlled context lookups in the log4j pattern layouts.<p>The `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class` mitigation remains effective for < 2.15.0, and may be a good idea for 2.15.0 as well, to avoid the localhost LDAP connections.