Mostly done with my #log4shell range - Terraform and Ansible deploy it to AWS so you can play around with log4shell.
Jetty is kinda vulnerable... It doesn't use log4j logging by default, but it does come with a drop-in logging replacement module that uses log4j. By default... Even the current versions of Jetty for download will, when enabling this module, download vulnerable log4j. The people making Jetty don't seem to realize this yet. I have no idea if anyone uses the replacement module. But I did!
#Apache Guacamole is the interface I deploy to let folks interact with the range easily. It is not easy to configure automatically... There's a simple user config file, but it is intentionally extremely simple. If you want to deploy Guacamole via configuration as code, you need something more powerful. I created this to do that:
https://github.com/kc0bfv/guacamoleREST
Solr is vulnerable if you grab the right version from Docker Hub (8.8.0 works nicely). But - the Java executable in there is from within the last few years, and those all disallow remote code includes via JNDI... So by default it's not going to give you RCE - at least not with the method commonly cited.