Yesterday, Log4J announced another potential vulnerability, CVE-2021-44832. In this case, an attacker would need write permissions to an application's log4j2.xml configuration file, which should never be the case in a LabKey Server deployment. Despite not being vulnerable, we have updated all current release branches to the latest Log4J release, 2.17.1, for additional assurance. The next maintenance releases (e.g., 21.11.5) will include this version but there's no need for emergency patching.

Thanks,
Adam