Currently, several critical issues in log4j have been identified: https://logging.apache.org/log4j/2.x/security.html
1.x seems to be less critical but will not receive any fixes.

As far as I could analyse the JavaOSC code, it does not use log4j at all. I guess it was only added in case someone wants to use it via sl4j. Therefore, I suggest to simply remove it.

Thank you @git-moss!
Fixed in 4ddf69e.