Excluded the commons-logging dependency pulled in by Spring Security until they can provide a fix. See gh-8985