Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We're calling it "Log4Shell" for short (CVE-2021-44228 just isn't as memorable).
The 0-day was tweeted along with a POC posted on GitHub. (...) This has been published as CVE-2021-44228 now.
Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.
Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.
Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j.
After an instrument has been assembled, extra components will be found on the bench.