I wanted to follow up on Will's post. I want to make sure that no one is waiting for another build before protecting their server, either via the -D system property or by deploying LabKey Server 21.11.2 or 21.7.10. It is imperative to get that level of protection in place.

We are aware of the followup changes in Log4J 2.16.0 that address a related but significantly less severe problem. Based on the information released, we don't believe that LabKey Server is vulnerable but are opting on the side of caution and taking the Log4J team's recommendation of updating to 2.16.0.

I know everyone would prefer to only need to take one set of mitigation steps, but do not wait to protect yourselves from the first critical vulnerability.

Thanks,
Josh