Mendix have said on Slack that this doesn’t affect them as they don’t use the affected versions.
Others have suggested that the affected versions could be in third party marketplace modules though, so it’s worth checking your userlib folder if you are concerned.
OFFICIAL UPDATE FROM MENDIX:
Two Marketplace modules that contain a version of log4j-core (that I'm aware of) are:
a link to the slack channel discussing this:
Also the older Amazon S3 module is affected: