Statement about Log4J v2 vulnerability CVE-2021-44228
Gerrit v3.5.0.1 uses log4j 1.2.17, this means it’s not affected by the Log4J v2 vulnerability CVE-2021-44228.
Gerrit v3.5.1 does not use log4j but adopted reload4j instead.
Log4j 1.2.17 is affected by CVE-2019-17571 and CVE-2020-9488 however, both of them require a specific log4j configuration that Gerrit does not use out of the box.
Should you have used a custom log4j configuration you should also check that your configuration is not impacted by the above vulnerabilities and look at the associated mitigation actions.