log4j is no longer standard and has a lot of vulnerabilities.
https://security.snyk.io/package/maven/ ... g4j/1.2.17
Upgrade to log4j2
Re: Upgrade to log4j2
Hi,
we know about the security issues that have been piling up in the past years, however none of these vulnerabilities are relevant to SmartFoxServer 2X.
The default SFS2X logging config does not use the Chainsaw component or the SocketAppender, which are the two main vulnerable elements. The remaining issues listed in the article require write access to the log4j config, which means that the security of the system is already compromised.
As for future upgrades, we'll move to LogBack (always using the slf4j interface)
Cheers
we know about the security issues that have been piling up in the past years, however none of these vulnerabilities are relevant to SmartFoxServer 2X.
The default SFS2X logging config does not use the Chainsaw component or the SocketAppender, which are the two main vulnerable elements. The remaining issues listed in the article require write access to the log4j config, which means that the security of the system is already compromised.
As for future upgrades, we'll move to LogBack (always using the slf4j interface)
Cheers