...
Irrespective of Log4J 1x or 2x, as a best practice, the OpenSpecimen VM should be restricted from making outbound connections. If it has to make connections to the external systems like email server then those system IP addresses or hostnames should be in the whitelist. All other outbound traffic should be summarily rejected by the firewall rules. This will ensure there is are no connections to the malicious servers and therefore no malicious programs on the VM.