Hi baalbaki,

Thank you for the feedback.

But please let me stress out that we are well aware of the Log4Shell vulnerability but in short Lightstreamer is not affected.

The Lightstreamer Server has been using the logback library for its own logging since version 5.0. Logback is not affected by this vulnerability because it does not use the vulnerable log4j-core library.
Indeed the Lightstreamer Server comes with a few preinstalled demos, whose adapters use log4j for logging. These are the demos that populate the welcome page in a fresh installation of Lightstreamer.
But we don't expect that a public installation of Lightstreamer Server includes the demo Adapter Set and/or allows access to the demos. In the PRODUCTION_SECURITY_NOTES.TXT document that is included in the root folder of all Lightstreamer distributions, we have always recommended removing the preinstalled demos.
We had already upgraded our Lightstreamer distribution to version 2.17.0 but we also know that another minor problem was found shortly after and fixed with the version 2.17.1. I confirm that the next release will contain the update.

Obviously if you decide to use log4j2 in your adapters it is absolutely recommended to upgrade to the latest version (2.17.1).

Regards,
Giuseppe