Log4j Version 2.16 Disables The Java Naming and Directory Interface By Default
Rejoice for there is now a way to make your systems somewhat less vulnerable to the Log4Shell vulnerability in the form of a new patch from Apache. The previous 2.15 patch disabled the JNDI message lookups that are the heart of this vulnerability but it did not completely disable JNDI completely and so some software could well be exposed. The new 2.16 patch disables it completely, thus completely removing the key though not the lock as JNDI still remains susceptible to this hack if ever enabled again.
As it stands there is a way to disable the vulnerable part, which can also have negative effects on how your software runs, there is no patch yet which allows you to use JNDI message lookups safely. The widespread use means that there will likely be programs that are vulnerable for years to come, as the developers suddenly realize that one of their programs actually does use Log4j in a small, often unused component.
Crucially, this move is defense in depth: Apache conceded JNDI "has significant security issues," so it's just deactivated it by default with a fresh release. Version 2.15 was most probably enough to protect you from attack, version 2.16 makes it certain.