Too Long; Didn't Read
Any organization using Java applications or hardware running Log4j < 2.15 is likely vulnerable. The vulnerability gets triggered if the logged string contains any untrusted strings in any part of the logged data. If successfully exploited, attackers can perform RCE and compromise the affected server leading to a full takeover of the system. Researchers concluded that this is a Java deserialization failure because Log4J makes network requests through the JNDI to an LDAP server and executes any code that is returned. The error is triggered within log messages with the use of the $ {} syntax.