Hi All, If you're running CollectionSpace 6.0 or above, patches are now available to upgrade log4j to 2.15.0, in order to mitigate the CVE-2021-44228<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> vulnerability. If you've already applied the previously recommended mitigation (adding -Dlog4j2.formatMsgNoLookups=true to the JVM startup options), you don't need to upgrade log4j, but it won't hurt anything if you do. To upgrade: 1. Stop the CollectionSpace server. 2. In your services source code directory (typically /opt/collectionspace/services or /home/cspace/collectionspace-source/services), pull the latest code for your release branch. 1. cd /opt/collectionspace/services 2. git pull 1. 2. Build the services source code. 1. mvn clean install -DskipTests 2. 3. Redeploy the services web application. 4. 5. ant undeploy deploy 1. To verify that log4j has been upgraded, check the jar files that exist in the tomcat lib directory: cd $CSPACE_JEESERVER_HOME/lib ls log4j*.jar All of the listed filenames should end with -2.15.0.jar. 2. Start the CollectionSpace server. Reply to the talk list if you have any questions or run into any problems. Thanks, Ray