Note: the following lines are a summary of what Apache published (state of 13th December 2021 on 16:06
UTC) - for more details or more recent information see the article linked above.
The affected versions are 7.4.0 to 7.7.3 and 8.0.0 to 8.11.0 which are using log4j-core versions >=2.0-beta9 and <=2.14.1.
Your options to fix it:
Upgrade Solr to 8.11.1
or Replace log4j-jars (Log4j 2.16)
or Set Property: log4j2.formatMsgNoLookups=true
Also check if you are using the Prometheus Exporter. It's also affected and has to be fixed separately (also described in Apaches article).
You probably already heard of it: Log4j - a very popular logging library for java - has a critical vulnerability (Remote Code Execution). See also https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://logging.apache.org/log4j/2.x/security.html
Since Solr is Java-based this also affects Solr instances. Apache already published an article on how to fix it for Solr (https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228).
Note: the following lines are a summary of what Apache published (state of 13th December 2021 on 16:06 UTC) - for more details or more recent information see the article linked above.
log4j2.formatMsgNoLookups=true