diff --git a/changelog.md b/changelog.md
index 299bcf6c..cf1c7064 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1 +1 @@
-- base image update to CALDP_20211129_CAL_final
\ No newline at end of file
+- force update of nss due to critical security vulnerability
\ No newline at end of file
diff --git a/lambda/JobPredict/Dockerfile b/lambda/JobPredict/Dockerfile
index 54fcda6c..8d5a31ac 100644
--- a/lambda/JobPredict/Dockerfile
+++ b/lambda/JobPredict/Dockerfile
@@ -3,6 +3,8 @@ FROM amazon/aws-lambda-python:3.7
 COPY requirements.txt predict_handler.py ./
 # SSL/TLS cert setup for STScI AWS firewalling
 USER root
+# temporary. remove when nss in the base amazon image is secure again
+RUN yum update nss -y
 ENV REQUESTS_CA_BUNDLE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 ENV CURL_CA_BUNDLE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 
diff --git a/terraform/deploy.sh b/terraform/deploy.sh
index ae14b2d5..fe3bf4b0 100755
--- a/terraform/deploy.sh
+++ b/terraform/deploy.sh
@@ -3,7 +3,7 @@
 # ADMIN_ARN is set in the ci node env and should not be included in this deploy script
 
 # variables that will likely be changed frequently
-CALCLOUD_VER="v0.4.31"
+CALCLOUD_VER="v0.4.32"
 CALDP_VER="v0.2.16"
 CAL_BASE_IMAGE="stsci/hst-pipeline:CALDP_20211129_CAL_final"