A scan is turning up a CVE for this:
CRITICAL Vulnerability found in non-os package type (java) - /elastic-apm-agent-1.21.0.jar:slf4j-api (CVE-2018-8088 - https://nvd.nist.gov/vuln/detail/CVE-2018-8088)
This showed up in an earlier version, too (1.17.0). 1.21.0 is the latest and still has this?