Add the following to your gradle.build file:

configurations.all {
  resolutionStrategy.eachDependency { details ->
    if (details.requested.group == 'org.apache.logging.log4j') {
      details.useVersion '2.17.1'
      details.because 'zero-day exploits suck'
    }
  }
}

dependencies {
…
}

Note that as the documentation points out:

the following mechanisms allow you to write rules which are directly injected into the resolution engine. Because of this, they can be seen as brute force solutions, that may hide future problems (e.g. if new dependencies are added). Therefore, the general advice is to only use the following mechanisms if other means are not sufficient.

I realize the OP asks for the "safest" way to upgrade dependencies -- I choose to interpret that as most-likely to remove zero-day exploits. Nevertheless, I do recognize that this brute force approach doesn't guarantee compatibility between libraries, but this should make sure no vulnerable versions of log4j end up in your dependency tree / builds.

You should of course run gradle dependencies after you make the change to be sure the changes took and you don't have any lingering versions with issues.

Update: removed the version comparison, as recommended here.

Update: increased version to 2.17.1

You can add Dependency Management plugin to your gradle.build:

plugins {
    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
}

dependencyManagement {
    imports {
        mavenBom 'org.apache.logging.log4j:log4j-bom:2.17.0'
    }
}

To confirm the change, run ./gradlew dependencies you should see something like

 +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 -> 2.17.0
|    |    |    |    +--- org.slf4j:slf4j-api:1.7.25 -> 1.7.32
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.0