Seafile pro edition 7.x and 8.x use ElasticSearch 5.6. According to ElasticSearch forum (Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 - Security Announcements - Discuss the Elastic Stack), ElasticSearch 5.6 contain a vulnerable version of Log4j.
Seafile pro edition will build a search query using user’s input and send it to ElasticSearch. Normally, ElasticSearch will not log queries.
But if there are some exceptions when handling the query, (for example, not enough memory), ElasticSearch may log the query and trigger an attack.
So far, I can’t reproduce an attack with Seafile pro 8.0. But the best way to mitigate the problem is adding
In summary, so far, there does not seem to be a big risk for Seafile systems at the moment, because no attack can be done over the internet, but only through a full text search by a logged in user. And according to ElasticSearch forum, how ElasticSearch 5.6 can be attacked with log4j2 vulnerability is not known yet.