Subsonic Forum

Subsonic uses log4j, which is vulnerable and actively exploited.
https://arstechnica.com/information-tec ... ution-bug/

Is there a patched version available?

Subsonic is basically abandonware; it isn't open-source and there is no development by the owner. You might consider moving off to a newer implementation. Both below suggestions run on multiple platforms, I'm a Windows guy so some of my supplemental info isn't as useful to non-Windows users.

If you're looking for a very lateral move, consider Airsonic Advanced https://github.com/airsonic-advanced/airsonic-advanced - It is in active development with frequent snapshot updates https://github.com/airsonic-advanced/airsonic-advanced/releases . Same feature set as Subsonic (API, Sonos, etc.) with updated code. As it is open source, you also get all the features Subsonic Premium gives you, but for free. Minimal effort for installation (latest Java installed, then a command line shortcut to the war file - upgrades even easier with just a fast war file change).

If you're really more API focused, you might consider moving off the Subsonic family of servers altogether. Check out Navidrome https://www.navidrome.org/ . That product is primarily to supply the API with a completely new back-end, and refocuses to just support for audio (no video, podcast, internet radio, etc.). There is not yet built in support for Sonos, but you can find easy linking with something like Bonob https://github.com/simojenki/bonob. As with Airsonic Advanced, no subscription or fee to access the API. Navidrome does have a simplified web UI if desired.

Both products support running as a service with something like NSSM https://nssm.cc/ and IIS works great as a reverse proxy if you wish to run them as SSL.

I was curious about this, as well.

I will be looking into airsonic, thanks for the heads up.

I do have to say, though, I just looked in the war file of the latest/last version of Subsonic I have installed, and it is using Log4J 1.2.16, which is not vulnerable to Log4Shell, but is vulnerable to its own nasty item, but maybe not quite as readily and easily exploitable as jndi access: https://cve.mitre.org/cgi-bin/cvename.c ... 2019-17571

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Can somebody translate this for me, mybe with a practical example?

Can somebody translate this for me, mybe with a practical example?

You mail a letter to your friend inviting them to a party you're hosting using a secret code you think only you and you're friend know. Although you trust the postman to take the letter from you, transport it to your friend's house and deliver it to them, I wait until the postman needs to use the WC, sneak into their mail bag, open you letter, decode it, rewrite it to tell your friend to not come to the party because they would ruin it for everyone else, encode it back into your secret language, seal the letter back up and put it in the mail bag without the postman knowing. Your friend gets what they think is your letter, decodes it, reads what I said, and because it was in your secret code, thinks it was from you. They are very mad at you now and you have a lot of explaining to do over the upcoming holidays.

Of note, Navidrome only supports ID3 tagging (and only a single music folder) - even in indexes/musicDirectory mode in the API, it only returns the Artists/Albums that are tagged in the music files.

It is a very solid piece of work, and I've strived to keep the SubFire app suite working with it, but that is a limitation that prevents me from using it as a full Subsonic replacement.

acroyear wrote:Of note, Navidrome only supports ID3 tagging...

There has been a few issues submitted to Navidrome over this, as the API should allow for browsing by folder. There was some recent updates to add partial support for this - convoluted way to do it is to access the UI as the user to change, Settings, Players, select desired player, then "Report Real Path" - not perfect, but better (-ish )

One of my reasons for sticking with Subsonic for all these years is stability- for me, it has been unusually reliable - way better than most apps I rely on.

Navidrome looks promising but still lacking a certain level of maturity.

Airsonic Advanced would seem to be a viable replacement (thanks J_T_W!) - but I do not see that they have provided a patch for the log4j vulnerability- so at this point I'd still be in the same boat.

I guess I'd better shutdown Subsonic for the foreseeable future at least until a patch is provided for Airsonic Advanced.

Adding this to the chain:

https://www.reddit.com/r/airsonic/comments/rdycb3/is_airsonic_affected_by_log4j_0day_vulnerability/
https://github.com/airsonic-advanced/airsonic-advanced/issues/699

molokoplus wrote:I was curious about this, as well.

I will be looking into airsonic, thanks for the heads up.

I do have to say, though, I just looked in the war file of the latest/last version of Subsonic I have installed, and it is using Log4J 1.2.16, which is not vulnerable to Log4Shell, but is vulnerable to its own nasty item, but maybe not quite as readily and easily exploitable as jndi access: https://cve.mitre.org/cgi-bin/cvename.c ... 2019-17571

Yeah, this is sad because it means what we've been using Subsonic with a serious vulnerability for two years now. Well, I only came to it recently but for anyone using it since 2019...

Classic example of the danger of abandonware. Someone should ask the hosting company he links if the application is vulnerable and they plan on doing something about it.