The National Vulnerability Database says
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration (emphasis added). … Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default
Jenkins core makes no mention of JMSAppender. I believe it is not configured to use JMSAppender.
If you’re granting write access to the Jenkins Log4j configuration on your Jenkins controller, I believe that means you have granted write access to the Jenkins home directory. If you’ve given someone write access to the Jenkins home directory, they are assumed to be trusted.
Note, I’m not part of the security team, so my assessment may be incorrect, but as far as I can tell, Jenkins is not vulnerable to that issue.