Log4J Bulletin: Passenger not affected
TL:DR; Passenger is not affected.
Passenger has no components written in Java and thus does not use log4j. As such, it is not affected by the log4j vulnerabilities (CVE-2021-45046 & CVE-2021-44228, or any subsequently discovered issues with log4j).