How can we help you today?

Browse our documentation to learn more about Tasktop products

CVE-2021-44228: Apache Log4j Vulnerability in Tasktop Products

CVE-2021-44228: Apache Log4j Vulnerability in Tasktop Products

Last Updated:  

Affected Products

Tasktop Hub: versions 19.4.0 and later

Note: No action is required for Tasktop Viz or Tasktop Sync as they were not impacted by this vulnerability.


A critical security vulnerability has been reported in Apache Log4j in versions 2.x prior to 2.15.0. Multiple Tasktop Hub versions that incorporate log4j have been affected.


12/15 Update: We have released a patch in our latest Tasktop versions that fixes this vulnerability. No mitigating action is necessary for the fixed versions listed below.

12/22 Update: In our most recent release, we have updated log4j used in our products to version 2.17. See the updated Tasktop versions below.

12/30 Update: Tasktop products are not affected by CVE-2021-44832 as it requires the attacker to control logging configuration (See details here). We will be updating to the newer version of Log4j according to our normal process and will not be issuing an emergency patch for CVE-2021-44832.

Fixed Tasktop versions:

  • Tasktop Hub 20.4.40
  • Tasktop Hub 21.1.47
  • Tasktop Hub 21.2.36
  • Tasktop Hub 21.3.24
  • Tasktop Hub 21.4.13
  • Tasktop Hub

Note: This fix will be applied to all Tasktop versions later than the versions listed above.

Tasktop versions (updated to log4j 2.17):

  • Tasktop Hub 20.4.41
  • Tasktop Hub 21.1.48
  • Tasktop Hub 21.2.37
  • Tasktop Hub 21.3.25
  • Tasktop Hub 21.4.14
  • Tasktop Hub


Tasktop Hub

To fully address the issue, affected versions of Tasktop Hub should be upgraded to one of the fixed versions listed above. Previously recommended mitigation steps may not provide 100% protection based on updated guidance from Apache/log4j.

Note: No action is required for Tasktop Hub Cloud as the fixes have already been implemented.