A critical vulnerability was recently discovered related to systems/software that run Apache Log4j versions 2.0-beta9 through 2.12.1 and 2.13 through 2.15.
More information about this vulnerability can be found here: National Vulnerability database - CVE-2021-44228 (nist.gov)
Additional CVE's have been discovered;
This is an industry-wide vulnerability affecting the Apache Log4j itself and is not specific to Syslog-NG PE
Syslog-NG PE does not use the affected versions of Apache Log4j, therefore is not affected by CVE-2021-44228, CVE-2021-4104, CVE-2021-45015
Note that version 7.0.29 of syslog-NG PE has version 2.17 of log4j; from the 7.0.29 Release Notes: