Log4J Vulnerability

Is Roon vulnerable to the Log4J security issue? I did a search and haven’t found a topic so hope it’s being looked at to see if there is a risk.

What about Qobuz or Tidal if we use those services?

I’m currently checking my NAS software and shutting off Plex which I use for remote playback until I know it’s safe so I can be sure my music setup is secure.

Wired: A Log4J Vulnerability Has Set the Internet 'On Fire' | WIRED

UK Government: Alert: Apache Log4j 2 vulnerability (CVE-2021-44228)

Hi @Ian_Pilborough,

I’ve moved your topic over to the #support section of the forum to bring it to the attention of Roon’s @support team.

1 Like

I don’t think so. It is a Java-Library. Why should it affect Software written in C/C# with .Net Framework?

Also your roon system should not be accessible on the Internet. You run it locally, as long as the attacker is not inside your network you are save.

1 Like

If Roon’s service and software are not Java-based and the vulnerability does not extend beyond that scope then there should not be a risk to Roon.

Hopefully, someone from Roon will check and confirm that. You’d be surprised what’s behind the scenes so it’s worth asking and for Roon to check.

Absolutely. This said, as long as Roon isn’t remote-accessible, wouldn’t one be correct in assuming it doesn’t expose a service, and thus Log4J isn’t a potential issue (contrary to, say, Plex) ?

Unless I misunderstand the architecture Roon has its own servers where functionality some functionality is delivered.

It’s this part that I’m mainly concerned about.

1 Like

This vulnerability impacts Java/JVM-based applications that use log4j.

The Roon applications do not use Java, other than a minimal use of Java required to integrate with the Android platform, but we do not use log4j on Android.

Our cloud services not java-based, and thus not impacted.

I can’t speak for Qobuz or TIDAL, and do not have detailed information about their internal architecture or techs stack–if you are concerned about them, I’d advise contacting them directly.


Thanks Brian, that’s exactly what I wanted to hear.

Doesn’t Roon use ElasticSearch for it’s hosted search index? Although I’m guessing you’re already running ES6 or 7.

btw. I hope this doesn’t come across as as a snarky “I think you’ve missed one…look at me for spotting it”. It was just that I reading this thread after patching one of our older Elastic clusters at the weekend and then thought “But doesn’t Roon also use Elastic as well?”.

My answer yesterday focused on our in-house services and not external or third-party stuff, but we did audit everything. Our Elastic installs are up to date and were not susceptible to this issue.

1 Like

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.