Our system is a microservices-based system. It has more than 120 services. We were advised to upgrade the log4j version in our microservices to 2.16.0 to mitigate the recent log4j vulnerability. Currently, our services use the 2.11.2 version. Can't we just use -Dlog4j2.formatMsgNoLookups=true to mitigate these vulnerabilities.
Look at the Apache Log4j Security Vulnerabilities page, especially the explanation under the heading "Fixed in Log4j 2.12.2 and Log4j 2.16.0".
It explains that even in 2.15.0, which had the initial fix for CVE-2021-44228, there was a situation possible in which you still had a problem, which has a new ID: CVE-2021-45046
Note that previous mitigations involving configuration such as to set the system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific vulnerability.
To protect yourself against the new CVE, update to 2.16.0.