Is Pydio cells susceptible to Log4Shell ? Short answer : NO

Hi I was wondering if Pydio Cell is susceptible to the recent Log4Shell RCE? I can’t see anything mentioned but would like to be sure.
I’m running Debian 10, with all the latest patches applied and the server is only running pydio cells.

Matt

1 Like

I was looking here for more information regarding log4j CVE-2021-44228 as well.
But i couldn’t find any news or documentation about it.

Hi,
CVE-2021-44228 (Log4Shell/Log4J2) is regaring the apache commons java package log4j v2. As cells is not built on Java, it is not affected by this CVE (which does not mean that there are no issues at all - just that it is not affected by this finding that currently runs through the media ;)).
Falk

1 Like

Cool thanks for the quick response.

Thanks for your honesty Falk :wink:

For the main code, as already quoted, we are not at all impacted by this one because the application is coded in Go and Javascript and this is Java specific.

Yet, we double-triple checked our stacks and more specifically the various images to insure we do not embed a compromised version of the Log4J library as an implicit dependency, but we found nothing.

You might be at risk on your server if one of the services you host (typically a reverse proxy…) depends of the library.

One way to double check, typically on Deb/Ubuntu, could be:

apt list --installed | grep -i "log4j"