Insightful conversations at https://github.com/apache/logging-log4j2/pull/608 - the original vulnerability patch.

Most JNDI lookups are disabled, except for JAVA and _LDAP(S)_. What I don't get is why would someone who knows about the vulnerability would _still_ want to do LDAP lookups during logging, even when restricted to localhost.