Although Java is not directly involved, I think it's noteworthy that Log::Log4perl offers code execution while reading configuration files. This might be an entry point for an attacker, although not as serious as Log4Shell since it requires access to the Log4perl configuration files while Log4Shell requires just lazy or no input validation.

#!/usr/bin/env perl

use strict;
use warnings;
use Log::Log4perl;


sub some_quote  { qq{I solemnly swear that I am up to no good.\n} };

#-- this would be the content of a manipulated log4perl configuration 
+file
my $conf = q(
        #-- this could be the content of a configuration file ...
        log4perl.category.Foo.Bar          = INFO, Screen

        log4perl.appender.Screen         = Log::Log4perl::Appender::Sc
+reen
        log4perl.appender.Screen.stderr  = 0
        log4perl.appender.Screen.layout  =  \
                 sub { \
                       print some_quote(); system("date"); \
                       return "Log::Log4perl::Layout::SimpleLayout"; \
                     }
      );

## Log::Log4perl::Config->allow_code(0); #-- would have disabled code 
+execution

Log::Log4perl::init( \$conf );

my $logger = Log::Log4perl::get_logger('Foo::Bar');

$logger->info("Mischief managed.");
[download]

Output:

Output:

I solemnly swear that I am up to no good.
Fri Dec 24 19:33:09 CET 2021
INFO - Mischief managed.
[download]

This feature can be disabled (see FAQ) using:

Log::Log4perl::Config->allow_code(0);
[download]