Update log4j to 2.25.3 to address CVE-2025-68161

[waa-ben]

It'd be exceptionally unlikely to be hit, but this will clear the CVE from this project. See CVE-2025-68161 for details.

[waa-ben]

I'm not familiar with spotbugs, but this line appears to be be incorrect as:

1. Those Maven coordinates aren't correct (before or after this change), the log4j slf4j 1.8 binding library caps out at version 2.18.0 as far as I can see
2. I can't see this in the dependency tree at all, at least in the gradle build
   I can see in the past this version seems to be in lock-step with the log4j version though, so I've included it here.

Let me know if you'd rather references to this binding be removed, or if there's something I've missed with it's inclusion

[pjfanning]

xmlbeans only has a dependency on log4j-api. No CVEs in log4j-api. There are some in log4j-core but we don't force you to add that jar and you can control the dependency version in your build files.

I'll probably merge this or something similar but we have no current plans for any xmlbeans releases.

[waa-ben]

I agree that it shouldn't apply, but they've unfortunately logged it under the CPE cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* which my vulnerability scanner interprets as applying to all log4j packages. Not a huge deal as we can override it, of course.

We're currently blocked from upgrading because of XML-660 (thanks for merging that by the way), is there any chance getting a release on to the roadmap? I'm happy to donate some time to the process if there's some work that needs to be done, our customers' auditors are much happier with official releases than self-published forks, even if we're not making code changes outside of what's been accepted here.