Hello, I found log4j on my (good old) Pydio 8 on Linux Debian Linux, in elastic search, (the Pydio elastic search plugin is installed).
You can read here Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack the full explanation of elastic search vulnerabilities
and a more practical résumé here : Mitigate Log4j2 / Log4Shell in Elasticsearch
What we did ? For certain elastic search version, an easy fix was to remove the vulnerable library inline in the jar file, that’s what we did :
cp log4j-core-2.7.jar log4j-core-2.7.jar.VULNERABLE
jar tvf lib/log4j-core-.jar | grep -i JndiLookup
response : org/apache/logging/log4j/core/lookup/JndiLookup.class
#remove the class
zip -d log4j-core-2.7.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
#verify the class is no more present
jar tvf log4j-core-.jar | grep -i JndiLookup
#restart elastic search
service elasticsearch restart
service elasticsearch status
Hope this can help !