Providing an update on this. The scoping to Java versions has been dropped from the CVE and there are examples of exploits circulating performed on later versions. While we have still not identified anywhere in the pipeline estate that is logging plain text user-submitted content to log4j, we would highly recommend applying the recommended configuration change.