临时解决,设定参数:formatMsgNoLookups=true
Temporary Mitigation
As per this discussion on HackerNews:
The 'formatMsgNoLookups' property was added in version 2.10.0, per the JIRA Issue LOG4J2-2109 [1] that proposed it. Therefore the 'formatMsgNoLookups=true' mitigation strategy is available in version 2.10.0 and higher, but is no longer necessary with version 2.15.0, because it then becomes the default behavior [2][3].
If you are using a version older than 2.10.0 and cannot upgrade, your mitigation choices are:
Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files, see details at
https://issues.apache.org/jira/browse/LOG4J2-2109 (only works on versions >= 2.7) or,
Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application's or stack's classloading documentation to understand this behavior.
参考
https://www.lunasec.io/docs/blog/log4j-zero-day/