My project has a transitive dependency on log4j v1.2.16 through org.mobicents.servlet.sip package used in my project as a direct dependency.
But org.mobicents.servlet.sip is no longer actively developed.
Are there any options to fix this vulnerability other than waiting for org.mobicents.servlet.sip to fix the issue.
The final solution was to explode the log4j-1.2.17.jar, remove the affected classes SocketServer.class and JMSAppender.class, create a custom jar and use it.
Commands used to explode and create new jar was taken from below stackoverflow answer
Reference: https://stackoverflow.com/a/16806235/8864570