Here are some additional details to help you with queries you may have to field internally.
- Some versions of Log4j can use LDAP and JNDI to lookup and acquire resources over the network, and under certain conditions it allows arbitrary, untrusted code from an LDAP server controlled by a malign actor to execute
- Apache Log4j is not part of Zulu, but is likely present in your environments as part of any number of application frameworks, including Apache Tomcat or Eclipse Jetty.
- Similar Remote Code Execution (RCE) vulnerabilities have been reported against versions of Java between 2009 and 2018. Each used a similar mechanism, loading code over JNDI, but each had a separate execution path. Fixes were released to block the particular execution path each time.
- The present CVE uses the same mechanism, but the execution path which allows the vulnerability to be exploited lies within the vulnerable versions of Log4j rather than the JDK.