Gerrit v184.108.40.206 uses log4j 1.2.17,
this means it’s not affected by the Log4J v2 vulnerability CVE-2021-44228.
Gerrit v3.5.1 does not use log4j but adopted reload4j instead.
Log4j 1.2.17 is affected by CVE-2019-17571
and CVE-2020-9488 however,
both of them require a specific log4j configuration that Gerrit does not use out
of the box.
Should you have used a custom log4j configuration
you should also check that your configuration is not impacted by the above
vulnerabilities and look at the associated mitigation actions.