Major Description
This issue is a security issue.
When running log4j in a restricted environment where the calling application is not allowed to access environment variables, then when log4j initializes a Logger our security manager raises a SecurityException because it tries to get access to all environment variables (getenv.*). The current log4j code properly catches the SecurityException and ignores it, which is correct as it allows the application to continue. The issue is that it also prints the exception message and the stack trace.
Printing the exception message is a bit too much in our context (the users do not need to know about this issue: there is nothing he can do + the exception is just ignored, which means even the core log4j does not handle this case). But the most important issue is the stack trace printing, which can be exploited by an attacker (provides information about class names that he could impersonate).
I suggest two code changes (most important first):
1/ do not print the stack trace
2/ do not log the exception message