Ummmmm... that’s what the entire panic is over. A security flaw means that Log4J will retrieve client-supplied URLs including executing Java code. That’s not good.
https://www.reuters.com/markets/europe/exclusive-imf-10-countries-simulate-cyber-attack-global-financial-system-2021-12-09/?fbclid=IwAR3fiRQ05BTXjvfc5N_hFlNh0yhH5PbmIe8zCzsfzLMw6L6cKZXUrr6prI0