Dec 132021

Go to your seafile directory and into pro/elasticsearch/config, e.g.

cd ~/seafile/seafile-server-latest/pro/elasticsearch/config

Append “-Dlog4j2.formatMsgNoLookups=true” to jvm.options

echo “-Dlog4j2.formatMsgNoLookups=true” >> jvm.options

Restart seafile:

cd ~/seafile/seafile-server-latest
./ stop
./ stop
sleep 3
/ start
./ start 8000

The vulnerable versions are in ~/seafile/seafile-server-latest/pro/elasticsearch/lib/


You could as well try to upgrade them, but I didnt have the time to test it. The other log4j libs in seafile are version 1 and not vulnerable to this issue (but other RCEs and are EOL sind 2015). Great product! ;)


 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>