...
All older Delft-FEWS versions before 2018.02 use log4j version 1.x. which does not contain the vulnerable class (JNDI lookup). Also the JMSAppender is not used. See Apache's statement around Log4j v1.x https://logging.apache.org/log4j/2.x/security.html
Log4j version 1.x is end-of-life, so we strongly recommend to upgrade to a supported version of Delft-FEWS (at least 2018.02 but preferably higher)
...