I'm not against getting the hub on a newer log4j version, but is it really an important security update if it can't actually do anything malicious on the hub's environment? See below. If you can't do the RCE part, it isn't that big of a deal, really.
I've spent the past 4 days having this discussion in my company. Updating is certainly the best/easiest, but just because a system has an affected log4j version doesn't mean it is automatically at high risk. You can only evaluate the true risk to any environment by seeing what can be done past the log4j issue as it's just the entry point.
All that said... Just get to log4j 2.16.0 and be done with it. 
