There’s already a CVE number for this: NVD - CVE-2021-44228
It implies that an attacker has already control over some other server. The most recent update obviously solves this problem. On the other hand, I am currently running FPBX with community modules only on Centos 7 and Debian 11 and there is no log4j.