This is pretty awful. Seems easy to fuzz every input form and API param to see which websites are vulnerable just by seeing which sites get a response. Once a site is found to be vulnerable, a malicious actor can try to funnel all logs to an external server, add a remote shell, and potentially scan the production network of whatever was running log4j. Once in the internal network, they can again scan for log4j exploits. Too many groups blanket whitelist cloud IPs like AWS lambda. Seems like there will be a cascade of experian-level data leaks coming. Even if things are somewhat locked down we've seen time and time again, there's internal sprawl where access to an internal bucket or git repo, or an escalation in the CI/CD pipelines leads to full access, then data dumps/leaks.