Most applications monitored by javamelody use either the dependency (jar file) javamelody-core or the dependency javamelody-spring-boot-starter. Both are not affected by the log4j CVE, because they do not include log4J and they do not declare a compile or runtime dependency on log4j. Other applications use a plugin for Jenkins or for JIRA/Confluence/Bamboo/Bitbucket or for Liferay or for Alfresco or for Sonar or for Grails. Those plugins are not affected for the same reason.
The optional javamelody collect
server is sometimes used and it includes log4j, for which
the recent security advisories were published (CVE-2021-44228 and
CVE-2021-45046).
When the collect server is used, it is recommended to upgrade the
collect server to the latest version 1.90.0, which includes the
latest log4j 2.16.0.
You can find the version 1.90.0 of the collect server at https://github.com/javamelody/javamelody/releases/download/javamelody-core-1.90.0/javamelody-collector-server-1.90.0.war