>>It’s not normally there.
Wrong. That “feature” was deliberately coded.
From a different article on it:
The bug, now officially denoted CVE-2021-44228, involves sending a request to a vulnerable server in which you include some data – for example, an HTTP header – that you expect (or know) the server will write to its logfile.
But you booby-trap that data so that the server, while wrangling the data into a format suitable for logging, kicks off a web download as an integral part of constructing the needed log entry.
And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.
The trick is that, by default, unpatched versions of the Log4j library permit logging requests to trigger general-purpose LDAP (directory services) searches, as well as various other online lookups.
You just proved it's not performing remote code execution. There's nothing in Log4j that lets you run any code. It does a lookup, but that is not executed code or arbitrary code.
Thnx for providing such a clear explanation for a semi-techie like me!