We have finished testing and have released LabKey Server versions 21.11.3 and 21.7.11 which incorporate Log4J 2.16.0. We are in the process of pushing out new builds to customers' support portals and the Community Edition download page. These versions address both CVE-2021-44228 and CVE-2021-45046, and with the new builds you no longer need the -D system property as a mitigation (though it will cause no problems if you leave it in place).

We have separately been asked about older LabKey Server versions that use Log4J 1.2.17 which is vulnerable to CVE-2019-17571. Our assessment is that LabKey Server is not impacted, because it doesn't make use of the specific feature within Log4J 1.x that is vulnerable, a SocketServer. Thus, no mitigations are required, but we encourage all deployments to migrate to 21.11.3, the current supported, maintained version of LabKey Server.

Thanks,
Josh