"As for a fix, there are thankfully a few options. The issue reportedly affects log4j versions between 2.0 and 2.14.1. Upgrading to Apache Log4j version 2.15 is the best course of action to mitigate the issue, as outlined on the Apache Log4j security vulnerability page. Although, users of older versions may also be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath. "
I believe the minecraft patch instructions are in this article that popped up.
I need to get this fixed first thing tomorrow when I get back from the day's events tomorrow.
https://www.pcgamer.com/amp/minecraft-java-edition-should-be-patched-immediately-after-high-severity-exploit-discovered-across-web/
"As for a fix, there are thankfully a few options. The issue reportedly affects log4j versions between 2.0 and 2.14.1. Upgrading to Apache Log4j version 2.15 is the best course of action to mitigate the issue, as outlined on the Apache Log4j security vulnerability page. Although, users of older versions may also be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath. "