If any of your installed modules use log4j, they should be in the userlib folder. The Mendix runtime does use log4j-api, however, as Mendix states here, that library does not pose a risk to your application at this time. Other security listings DO recommend to upgrade this library in order to prevent version desync with the core module (if present).
With regards to Mendix 4.7.1, I do not know whether the log4j-api library is used in that specific version. You can check this yourself by building the application and scanning it with security tools like Trivy.