Dec 132021
Go to your seafile directory and into pro/elasticsearch/config, e.g.
cd ~/seafile/seafile-server-latest/pro/elasticsearch/config
Append “-Dlog4j2.formatMsgNoLookups=true” to jvm.options
echo “-Dlog4j2.formatMsgNoLookups=true” >> jvm.options
Restart seafile:
cd ~/seafile/seafile-server-latest
./seahub.sh stop
./seafile.sh stop
sleep 3
/seafile.sh start
./seahub.sh start 8000
The vulnerable versions are in ~/seafile/seafile-server-latest/pro/elasticsearch/lib/
log4j-core-2.11.1.jar
log4j-api-2.11.1.jar
You could as well try to upgrade them, but I didnt have the time to test it. The other log4j libs in seafile are version 1 and not vulnerable to this issue (but other RCEs and are EOL sind 2015). Great product! ;)