CVE-2019-17571 with log4j 1.2.17 is now being addressed with the release of Lagom 1.6.7. Thanks to @octonato.
See here: Log4j 1.2.17 (CVE-2019-17571) critical vulnerability due to lagom-scala-dsl-kafka-broker - #5 by manasbuilds