Closed issue by leahneukirchen on void-packages repository

https://github.com/void-linux/void-packages/issues/34534

Description:
These packages contain old, vulnerable versions of log4j.

- [x] apache-jmeter-5.3_1	/usr/libexec/apache-jmeter/lib/log4j-core-2.13.1.jar
- [x] apache-storm-2.2.0_3	/usr/lib/apache-storm/external/storm-autocreds/log4j-core-2.11.2.jar
- [x] arduino-1.8.13_1	/usr/lib/arduino/lib/log4j-core-2.12.0.jar
- [x] elasticsearch-5.1.2_2	/usr/share/elasticsearch/lib/log4j-core-2.7.jar
- [x] sbt-1.3.10_2	/usr/share/sbt/lib/local-preloaded/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar

Also Log4j 1.2 is EOL and full of CVE:

- [x] davmail-5.5.1_2	/usr/share/davmail/lib/log4j-1.2.16.jar
- [x] zookeeper-3.4.13_2	/usr/share/zookeeper/lib/log4j-1.2.17.jar

cc @knusbaum @bougyman @Gottox @igorsantana @Trojan295