Tenable has a reasonable write-up, and Apache has some mitigation info posted.
Minecraft is vulnerable, reportedly both client and server.
There are affected VMware apps, and a variety of other apps from other vendors.
If you loaded Java and particularly if you’re still running Java, you’re going to need to do some research,
Here, your system seems to have an older version of log4j around and that with somewhat different known vulnerabilities, and you will need to figure out what that app is and whether you need it, and whether you need to update or replace it.
If you’re running other Java apps, you will need to review those apps and update as necessary, too.
The app update from the app provider, or—if you’re stuck—maybe pulling the known-vulnerable part from the jar using the unzip command works until there’s an update or a replacement. The unzip command mitigation is listed in the Apache link posted above. Expunging the vulnerable component probably won’t effect most Java apps, but it might. And the mitigation will break code-signing, if the Java app involved is code-signed.
macOS itself does not ship with Oracle Java, and does not ship the Apache logging app. Even back when Apple had its own Java port years ago, you still had to add it yourself. If you’ve added Oracle Java, then you now own the investigation into what is installed.
As for anti-malware apps, I generally do not recommend those add-on anti-malware apps. As endpoint security tools for those that need that, maybe. For general use by folks on a recent version of macOS patched current, not so much. These tools can add overhead and instabilities and can introduce vulnerabilities, and some have had privacy surprises.