http://logging.apache.org/log4j/1.2/index.html states that log4j 1.2 has an unresolved security hole (unvalidated deserialization, remotely exploitable without authorization).
Java 9 having a different version string format broke log4j's version string parsing, introducing bugs into its MDC implementation, but that's much less important.

Options for the documentation:

1. Add a warning to the SLF4J manual that slf4j-log4j12 should not be used anymore.
2. Remove mentions of slf4j-log4j12 entirely.

Options for the code:

Since slf4j-log4j12 cannot be removed from Maven repositories, a new version that warns about the issue should be released:

1. Make it output an ERROR, stating "log4j 1.2 has an unfixed security hole; your application can be hacked by anybody with network access (CVE-2019-17571). Migrate to another logging backend as soon as possible."
2. As above, but make it abort startup. (That's probably too much, there could be edge cases where an organization cannot migrate and cannot downgrade back to a previous, working slkf4j-log4j12.)