You’ve probably heard about the Log4J vulnerability (CVE-2021-44228), which allows remote code execution on Apache web servers. The vulnerability is also quick and easy to execute and was rated 10 (out of 10) on the Common Vulnerability Scoring System scale. It has affected literally thousands of organizations like Apple, Twitter, Valve, Tencent, and many other major service providers. So as a Pydio user, you are surely concerned about whether Pydio or Pydio Cells deployments may be affected.
NO, there is no need to worry.
Pydio 8 is a PHP application and Cells was developed in Golang. Log4J is a Java library used by many Java applications for logging. As such, our own code is not exposed to this vulnerability. We also don’t install or use Log4J for any third-party tool that could be deployed in our cloud images (OVF, VMWare, AWS AMI).
That said, if Pydio is installed on your own server, it’s your responsibility to ensure that you haven’t installed any log4j-related software on that server. Better safe than sorry.