In my case, the WEB-INF/classes/log4j.properties included has these loggers turned off, but they still seem to run. I am including a patch that ignores the NullPointerException following the pattern of ignoring the ClassNotFoundException.

Details below taken from: http://confluence.atlassian.com/display/GHKB/NullPointerException+when+Switching+between+Projects+or+Boards

Symptoms
When switching between projects or boards using the "Agile" menu, an error like the following appears onscreen and in the logs:
java.lang.NullPointerException
at com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor$CallStack.isProtectedAction(XsrfVulnerabilityDetectionSQLInterceptor.java:161)
at com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor.afterExecutionImpl(XsrfVulnerabilityDetectionSQLInterceptor.java:75)
at com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor.afterSuccessfulExecution(XsrfVulnerabilityDetectionSQLInterceptor.java:40)
at com.atlassian.jira.ofbiz.ChainedSQLInterceptor.afterSuccessfulExecution(ChainedSQLInterceptor.java:70)
at org.ofbiz.core.entity.jdbc.SQLProcessor.afterExecution(SQLProcessor.java:552)

Cause
There is a known problem with JIRA and a particular logger that manifests itself when logging for the XsrfVulnerabilityDetectionSQLInterceptor is enabled. This problem manifests itself when switching from project to project or board to board using the "Agile" menu.

Resolution
By default, the logger that causes this problem is disabled. If you're experiencing this problem, please check your log4j.properties file and any additional log configuration files. Your log4j.properties file should contain lines like the following:

log4j.logger.com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor = OFF
, xsrflog
log4j.additivity.com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor =
false