Use log4j v2.16.0 <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core --><dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.16.0</version></dependency>
Latest v2.17.1 is released which is as of now having 0 vulnerabilities.