Upgrade l4j

[brianbolt]

No description provided.

[bffrost]

@brianbolt as we discussed yesterday, we're still seeing log4j 1.2.17 get pulled down due to the slf4j-log4j12 artifact.
These two classes seem to be used widely in acas-roo-server:

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Can we see if it's possible to switch our slf4j usage to use log4j v2.15.0 instead?
From my reading it seems we may need to switch from slf4j-log4j12 to log4j-over-slf4j and/or use log4j-slf4j-impl

https://stackoverflow.com/questions/31044619/difference-between-slf4j-log4j12-and-log4j-over-slf4j
https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.15.0

[brianbolt]

It looks like we should take the log4j-slf4j-impl route. This is because it looks like we already went down the path of using jcl-over-slf4j and excluding commons-logging from various places. This stackoverflow comment gives some good guidance about the options

It looks like they released a log4j 2.16.0 which disables JNDI by default so I think i'll update to that one.