Just wondering and hoping that the dev team is aware of the recent Log4j security issue.
I don't know if Spiral Knights even uses this library, but it has affected a lot of Java applications, including games like Minecraft. To be honest, I'm reluctant to log in without knowing that this issue has been addressed, if applicable.
Like Goofio, I've been worried about this issue. Thanks for investigating, Flowchart.
Would be nice if SK Developers could confirm the game does not use log4j
As far as I can tell, SK uses Apache Commons Logging (which in turn uses the standard logging package Flowchart mentioned); this library does have a wrapper for Log4J, but the Log4J library itself isn't included in the game, so it's not used
I found the `Log4JLogger.class` file in the code/commons-logging.jar file.
However, the vulnerability affects specific 2.x versions.
There is the following string in that file:
```
Log4J 1.2 not available
```
That and the fact that SK game has not been updated for years convinces me that the version is old and not affected by the vulnerability.
^ Log4JLogger is just the Log4J wrapper I mentioned before, not the library itself, so I wouldn't worry regardless
As noted above, we do not believe that Spiral Knights is vulnerable to this particular issue.
Good stuff, thx for confirming Cronus
it seems SK is using java.util.logging (that comes with java, but has fewer features) instead of log4j
this can be verified by putting this line in your extra.txt
-Djava.util.logging.config.file=nonexist.properties
if nonexist.properties does not exist, then the log file projectx.log will be logging anything while playing (so I don't recommend keeping it)
There are some references to log4j in some of the publicly available source code but it looks like the libraries just have support for it and SK is not actually using it.
Also it was a problem they'd have an update for the game they actually care about (Puzzle Pirates)