I generally miss any response or statement from Mendix… Even if there is no vulnerability and no impact to Mendix apps…
Edit: the vulnerable version (log4j-core-2.11.1) seems to be in the modeler folder but not in the runtime. The runtime does org.apache.logging.log4j.log4j-api.2.14.0.jar but not the log4j-core.
I don't think it depends on if you use the logging module, because the Mendix runtime also uses the org.apache.logging.log4j library. For the attacker it doesn't matter if he is logged in or not, he only needs to trigger messages to the log —this might occur when failing multiple logins, putting wrong parameters in a deeplink, etc. anything that triggers a log messages with the users input. And it is this specific input that creates a vulnerability (like SQL injection but then via log messages)
I did various tests with canary tokens and was unable to detect this vulnerability ( CVE-2021-44228) in Mendix. So I decided not to file a ticket with Mendix for further investigation. But it would be best if Mendix can confirm this.
For those unfamiliar with the vulnerability, this is a pretty good write up (and one of the first): https://www.lunasec.io/docs/blog/log4j-zero-day/
Instructions on how to test this with canary tokens: https://twitter.com/cyb3rops/status/1469405846010572816?s=20
Regarding the original question:
“We are using log4j-1.2.17, this comes with the Logging module. The app is running in the Mendix Cloud, java version 11. Is this a vulnarability?”
Yes, it is. For CVE-2019-17571.
I don’t know if that is exploitable in your case, but keep in mind that log4j-1.2.17 has seen its end-of-life in 2015, and is unsupported since then.