What to do right now
Focus on remediating Log4j first.
Initially reported on November 24, 2021 as an instant CVSS 10 out of 10 in severity, the Apache Log4Shell vulnerability has put hundreds of millions of endpoints at risk. And with new variants appearing almost daily, the saga keeps going and going.
However, not every new variant is equal, nor likely to be exploited. At its core, Log4Shell is a vulnerability and should be treated as such. Remediating Log4j CVE-2021-44228, the default configuration, should be your priority.