It looks like you're new here. If you want to get involved, click one of these buttons!
Various releases of ProM contain version 2.8.1 of log4j which, in itself, is vulnerable. However, ProM itself is not vulnerable.
ProM contains log4j only for the sake of the Google Analytics feature, which allows you as a user to let us know which plugins you actually use. This feature can be enabled and disabled using the Package Manager. If you disable this feature, ProM will not use log4j. If you really want to be sure, disable this feature and simply remove the three log4j libraries from the lib folder of ProM.
ProM runs as an application, and not as a server. Only the Google Analytics feature can use the log4j in ProM, so only messages generated by the Google Analytics will be logged by log4j. The user cannot inject his/her own strings into these messages.
A new version of the ProM framework is available in the nightly builds as of December 16 (Nightly build of Thursday, 16.12.2021, 11:04:44). This version contains version 2.16.0 of log4j, which fixes the vulnerability. If needed, you can download this (or a later) nightly build, and replace the three log4j-*-2.8.1.jar files in the “lib” folder (and, if applicable, in the packages/prom-framework-* folder as well) with the three log4j-*-2.16.0.jar files of this nightly build. After this patch, ProM will use log4j version 2.16.0, which does not contain the vulnerability.