It is not enough simply to add -Dlog4j2.formatMsgNoLookups=true. There are 2 problems:
This is needed because version 2.15 is still exploitable in certain non-default configurations, and this moderate-severity oversight has earned its own bug ID: CVE-2021-45046.
That release closed the hole (CVE-2021-44228) by disabling by default the Java library’s primarily exploitable functionality: JNDI message lookups. Now version 2.16 is out, and it disables all JNDI support by default, and removes message lookup handling entirely for good measure, hopefully finally preventing further exploitation.
https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/
https://www.theregister.com/2021/12/14/apache_log4j_2_16_jndi_disabled/