Like you we have learnt about the Log4j RCE vulnerability, CVE-2021-44228, and the related CVEs that were discovered following disclosure of 44228.
We are fortunate in our case that we chose not to use Java as a core part of our stack and have no dependencies on services and applications that make use of it.
After a rigorous review of our codebase, we are confident that k6 OSS, k6 Cloud, and our in-house developed extensions (xk6 extensions in the Grafana organisation on GitHub) are not affected.
If you have specific questions or concerns regarding this vulnerability and your k6 products or services, please email support@k6.io.