bump log4j

[ckiosidis]

use the latest log4j https://logging.apache.org/log4j/2.x/security.html

[marschall]

We only use it for testing. It should not affect our users and our tests don't read input. Nevertheless it's good to upgrade.

Do you need a release? Is some internal tool of yours reporting this?

[ckiosidis]

Yes please, a release would be nice. The library is used here https://github.com/flyteorg/flytekit-java/blob/master/pom.xml#L241-L246 Thank you

[marschall]

I just release 2.3.0, it may take a moment until it shows up in Maven Central. The POM should be flattened now so that log4j2 should no longer appear.