We've published a blog post to explain the impact of the log4j security vulnerabilities on the Matrix ecosystem: https://matrix.org/blog/2021/12/15/on-matrix-and-the-log-4-j-vulnerabilities. TL;DR: if you run your own Jitsi or signald (or other java-based component), you need to apply mitigations immediately.