A carefully-crafted payload that is processed by Logstash and results in a message being sent to the logger containing that payload, is sufficient to trigger the issue. The payload does not have to be transmitted directly by an attacker, but could be fetched by any one of a pipeline's input plugins so long as doing so resulted in the exploit string being included in a log message.
The only validated mitigations remain the removal of the class file or upgrading to a patched release.