CVE-2021-44228 is another story – log4j 2.x passes unsanitized user input to the JNDI lookup mechanism. And that’s why many applications are affected.
In general we see a pattern of CVEs being assigned for issues that are unlikely to be exploitable, and we are trying to pushback where we are able to to avoid unnecessary panic.