Arara uses vulnerable version of log4j
I have created a merge request: !28 (closed), although the build seems to be failing for some reason.
Given the fact that this vulnerability is being exploited actively, it probably makes sense to fix the vulnerability rather sooner than later.
Also linked to this Archlinux bug: https://bugs.archlinux.org/task/72996
Hope this helps.