QNAP does not have just one OS - they have 3 - the oldest QTS, the Enterprise QES and the new QTS Hero. All 3 OS are not affected by the Log4j vulnerability.
Qnap has also confirmed that their core apps are not vulnerable to Log4j, so the QNAP core OS and the apps are secure.
Third-party apps, virtualized apps, or Docker apps could still be vulnerable. QNAP has disabled many apps in the App Store that were vulnerable, but not all are disabled. For example, if you have a Docker app installed, QNAP cannot disable it.
If you are concerned about this - Perform an app audit - make a list of all the apps you use and check if any of them use log4j. Remove, disable or patch the app that you are not using or that is vulnerable.