That's incorrect, while LDAP portion of this problem is mitigated im new JDKs there are other vectors of attack like RMI. It's by far the easiest and most severe vulnerability I've ever seen.

Do you have a source for that?

As they mention these are custom examples where you make lookup on user supplied string. But do you have an example of that? It seems highly unlikely to do jndi lookups based on user input.

${jndi:rmi://localhost:1099/ObjectName} will do the lookup to the lookup to the RMI server for ObjectName.