Security: remove use log of log4j v1

[pjfanning]

Description

log4j v1 is end of life and full of security issues

Can you upgrade log4j v2.17.x or reload4j?

• indexing-hadoop/pom.xml
• extensions-core/hdfs-storage/pom.xml

Motivation

Please provide the following for the desired feature or change:

• A detailed description of the intended use case, if applicable
• Rationale for why the desired feature/change would be beneficial

[FrankChen021]

The log4j v1 used by these two libs is introduced by #11794. And they're used for test profile only. So I think it does not cause any security problems.

I don't know if it's possible to remove it or upgrade it to log4j2. What do you think ? @cryptoe

[cryptoe]

Let's try to bump it to log4j2 and look at the travis runs.

[murari-goswami]

The log4j v1 is in use for below transitive dependency other than the tests. Can we please bump this up to have a fix to get the CVE fix.

+- org.apache.ranger:ranger-plugins-common:jar:2.0.0:compile
| +- log4j:log4j:jar:1.2.17:compile

+- org.apache.hive.shims:hive-shims-0.23:jar:3.1.3:runtime
- org.apache.hadoop:hadoop-yarn-server-resourcemanager:jar:3.1.0:runtime
+- log4j:log4j:jar:1.2.17:runtime