Furthermore, log4j 1.2 has reached EOL in 2015 and shouldn't be used any more because further issues won't be fixed in this version.
In order to stay within the lifecycle and to mitigate the mentioned CVEs, I would strongly recommend to upgrade log4j to a current and supported version.
The current version 1.9.3 of gitblit uses log4j 1.2.17 This version seems to be affected by different vulnerabilities: https://mvnrepository.com/artifact/log4j/log4j/1.2.17
The discussion at https://github.com/gitblit-org/gitblit/discussions/1403 was related to CVE-2021-44228 but there seems to be never vulnerabilities in the meantime.
Furthermore, log4j 1.2 has reached EOL in 2015 and shouldn't be used any more because further issues won't be fixed in this version.
In order to stay within the lifecycle and to mitigate the mentioned CVEs, I would strongly recommend to upgrade log4j to a current and supported version.
Maybe I could also send a PR, if this helps.