According to https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-7281/Apache-Log4net.html ST uses version 2.0.8.0 which is not robust, please upgrade log4net to version 2.0.10.0:

"Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files."