Mendix have said on Slack that this doesn’t affect them as they don’t use the affected versions.
Others have suggested that the affected versions could be in third party marketplace modules though, so it’s worth checking your userlib folder if you are concerned.
OFFICIAL UPDATE FROM MENDIX:
https://status.mendix.com/incidents/8j5043my610c
Two Marketplace modules that contain a version of log4j-core (that I'm aware of) are:
a link to the slack channel discussing this:
https://mendixcommunity.slack.com/archives/CKFARC1B2/p1639188441253700
Also the older Amazon S3 module is affected: