Bump log4j to 2.25.4

[Sanikadze]

Summary

Bump log4j from 2.17.2 to 2.25.4. Closes CVE-2026-34480 (XmlLayout invalid XML output) and CVE-2026-34477 (SSL hostname verification bypass).

Changes

server/build.gradle

• Add ext['log4j2.version'] = '2.25.4' so the version managed by the imported spring-boot-dependencies BOM (which pins log4j-bom 2.17.2) is overridden. A bomProperty override does not reach the nested log4j-bom, hence the explicit ext property.
• Replace the log4j-spring-boot:2.17.2 pin (and its junit excludes) with log4j-spring-boot:2.25.4. The excludes were a workaround for junit leaking into compileClasspath in 2.17.2; this was fixed upstream in 2.19.0, so at 2.25.4 they are dead code (the old comment said to remove them on upgrade).

server/pxf-service/build.gradle

• Add an explicit commons-logging dependency. log4j-spring-boot 2.25.4 no longer pulls it transitively, so without this it drops out of the jar.

Verification

• Build and tests are green. ./gradlew :pxf-api:test :pxf-service:teston JDK 8 — BUILD SUCCESSFUL, 679 tests, 678 passed, 0 failed, 1 skipped.api/core/jul/spring-boot, with no junit leaked into the jar and commons-logging-1.1.3 present.
• Logging is healthy at runtime. pxf-service.log is written with the expected Log4j2 layout, with zero StatusLogger init errors and no log4j config errors;

[Sanikadze]

The failing checks are unrelated to this change.

Everything that actually exercises this log4j bump is green.