Log4j

8 respuestas [Último envío]
Dom, 12/12/2021 - 09:59
Imagen de Goofio
Goofio

Just wondering and hoping that the dev team is aware of the recent Log4j security issue.

I don't know if Spiral Knights even uses this library, but it has affected a lot of Java applications, including games like Minecraft. To be honest, I'm reluctant to log in without knowing that this issue has been addressed, if applicable.

Lun, 12/13/2021 - 03:31
#1
Imagen de Flowchart
Flowchart

it seems SK is using java.util.logging (that comes with java, but has fewer features) instead of log4j

this can be verified by putting this line in your extra.txt
-Djava.util.logging.config.file=nonexist.properties

if nonexist.properties does not exist, then the log file projectx.log will be logging anything while playing (so I don't recommend keeping it)

There are some references to log4j in some of the publicly available source code but it looks like the libraries just have support for it and SK is not actually using it.

Also it was a problem they'd have an update for the game they actually care about (Puzzle Pirates)

Lun, 12/13/2021 - 07:48
#2
Imagen de Bopp
Bopp
thanks

Like Goofio, I've been worried about this issue. Thanks for investigating, Flowchart.

Lun, 12/13/2021 - 21:05
#3
Imagen de Thats-Rough-Buddy
Thats-Rough-Buddy
Would be nice if SK

Would be nice if SK Developers could confirm the game does not use log4j

Mar, 12/14/2021 - 00:37
#4
Caladfwlch
As far as I can tell, SK uses

As far as I can tell, SK uses Apache Commons Logging (which in turn uses the standard logging package Flowchart mentioned); this library does have a wrapper for Log4J, but the Log4J library itself isn't included in the game, so it's not used

Vie, 12/17/2021 - 11:57
#5
Imagen de Ryukusu-Luminarius
Ryukusu-Luminarius
I found the

I found the `Log4JLogger.class` file in the code/commons-logging.jar file.
However, the vulnerability affects specific 2.x versions.
There is the following string in that file:
```
Log4J 1.2 not available
```
That and the fact that SK game has not been updated for years convinces me that the version is old and not affected by the vulnerability.

Sáb, 12/18/2021 - 00:21
#6
Caladfwlch
^ Log4JLogger is just the

^ Log4JLogger is just the Log4J wrapper I mentioned before, not the library itself, so I wouldn't worry regardless

Jue, 01/06/2022 - 07:42
#7
Imagen de Cronus
Cronus
Game Master
As noted above, we do not

As noted above, we do not believe that Spiral Knights is vulnerable to this particular issue.

Jue, 01/06/2022 - 19:46
#8
Imagen de Thats-Rough-Buddy
Thats-Rough-Buddy
Good stuff, thx for

Good stuff, thx for confirming Cronus