It’s likely a dependency of some module you either (a) have in your project now or (b) had installed at one point.
The file you have is from log4j v1 which is not vulnerable according to: https://logging.apache.org/log4j/2.x/security.html
It has also been out of maintenance/support for a long time (2015) so I wonder if perhaps it’s left over from long ago or a very old module of your app.
I recommend you review all of the JAR files in your userlib folder and remove those that are no longer needed.