Tomcat + Java Security Manager
If the Java Security Manager is enabled within Tomcat, you may need to grant more permissions to applications that rely on Log4j 2.x. An example application bundled within Content Services which requires additional permissions is _vti_bin (included in Alfresco Office Services). To avoid any AccessControlException related to Log4j 2.x operations, the catalina.policy file can be extended to allow the required permissions.
Example for the _vti_bin web app:
grant codeBase "file:${catalina.base}/webapps/_vti_bin/-" { permission java.security.AllPermission; };