Not a sonarsource employee, but:
In order to exploit CVE-2021-44832 you already have to have a bad actor on your network and/or your server with the configuration file is badly configured. You will have way worse things to worry about and mitigate than this theoretical exploit (aka your network is totally owned).
This was a badly assigned CVE from security researchers hungry to hop onto the log4j bandwagon and grab some fame imo…
Where I work we will upgrade from 2.17.0 possibly in a few months in the next regular maintenance/module dependency upgrade period. Unless a real security vulnerability pops up.