As most of you might be in the middle of fighting this crisis of this vulnerability, we wish to inform that MOSIP and its core components do not rely on Log4J for their logging. The only component in MOSIP that does rely on is partner management service and we use 1.2.17 version. As per the published CVE-2021-44228, The 1.2.17 version is not vulnerable.
The vulnerable log4j version starts from 2.0-beta-9 to 2.14.1 version. Hence, as a platform MOSIP is not vulnerable to this issue.
However, as a responsible open source community, we would outline the details of how to detect, and strategize your protection across this vulnerability.
The following gist contains the information that you can use to protect and detect the attack across your application.
You would see the log4j version information in our POM files, but there is no dependency on the same. Those are stale property tags leftover in our POM files. Except for our partner management, none of our projects has direct dependcies. Partner management service uses 1.2.17 and this version is not vulnerable to this attack.
However, we will move to the latest log4j in our latest 1.5.x version.