All, As you've probably heard, a dire rce was recently announced in log4j2. I suspect it would be fairly easy to develop a PoC to show that we're vulnerable. It isn't as straightforward as webapps that are logging direct user input, but I don't think it would take much. Should we push for a 2.x release in the next few days?
Best,
Tim
