2.17.0 is too old. Log4Shell is one of the most famous CVEs and it affects log4j-core specifically but I think it is a bad look for an ASF project to be using such an old log4j version.