As many of you will be aware, some rather large shit hit a rather large fan late last night (UK Time) with the announcement of a 0 day vulnerability which was tweeted out in the format of an un-patched proof of concept.
This vulnerability impacts the Log4J dependency, a logging tool used extensively in the Java programming world, and within the Minecraft clients and servers as well.
It was originally believed that the remote code execution was limited to only some early Java 8 builds, however that has since been suggested not to be the case.
While I don't plan to go into the deep technical here, there's a lot of interesting write-ups already and a lot of security researchers working on analysing this further, so far it's scored a 10/10 in terms of criticality and I would be surprised if that dropped a lot. There's also an excellent write-up from Sophos's security labs team, and would suggest you read it if you want to understand the technical - https://nakedsecurity.sophos.com/2021/12/10/log…d-your-servers/
What You Need to do urgently
This impacts both servers and clients, you will need to patch your local Minecraft instance to be secure from this vulnerability
Clients:
The simple solution is for you to move to the 1.18.1 release if you use the Mojang Launcher, the issue has been resolved and is baked in, so nothing too complicated you need to do.
Likewise if you are using older versions in the native Mojang launcher, we believe a re-start should resolve the issue, ensure all launcher instances are closed. We would NOT suggest depending on this 100% though, especially if you use older versions. Likewise this will NOT resolve issues with modded game play.
For those using MultiMC, you will need to fully re-start your client, and connect every instance you have with online mode enabled at least once. By doing so you should pull down the patch. For more info and how to verify this please see this MultiMC Blog Post.
If you are using FORGE ensure you are running these Forge versions as a minimum:
- 1.18-38.0.17
- 1.17.1-37.1.1
- 1.16.5-36.2.20
- 1.15.2-31.2.56
- 1.14.4-28.2.25
- 1.13.2-25.0.222
- 1.12.2-14.23.5.2857
If you are running the FTB Launcher, force it to re-start fully and it should be fully patched. Again though we suggest caution with this assumption and taking additional care.
For those using Fabric, it looks as if from version 0.12.9 onwards there were patches for the 1.17 and 1.18 clients, It looks as if the recommendation is to update to 0.12.10 which patches it in all cases. We've not verified this is actually the case, but we'd strongly suggest updating to version 0.12.10 or newer ASAP.
Finally, for anything else or where you want to ensure you are secure, the following steps should be taken:
- As per Sophos's Guidenace, Block JNDI from making requests to untrusted servers. If you can’t update, but you’re using Log4j 2.10.0 or later, you can set the configuration value log4j2.formatMsgNoLookups to true, which prevents LDAP and similar queries from going out in the first place.
- Use the CreeperHost provided JAR as part of the execution, this will mean the vulnerable code can't make it to be executed, and will help safeguard your game: https://www.creeperhost.net/blog/mitigating-cve/
Servers:
Most server clients have already updated versions and the guidance above applies. I've only been able to personally verify the updates to Paper based on the changes in their source code, so again please do your due diligence to verify patches are actually applied.
Please see the above guidance for FTB, Forge and Fabric.
Finally, for anything else or where you want to ensure you are secure, the following steps should be taken:
- As per Sophos's Guidenace, Block JNDI from making requests to untrusted servers. If you can’t update, but you’re using Log4j 2.10.0 or later, you can set the configuration value log4j2.formatMsgNoLookups to true, which prevents LDAP and similar queries from going out in the first place.
- Use the CreeperHost provided JAR as part of the execution, this will mean the vulnerable code can't make it to be executed, and will help safeguard your game: https://www.creeperhost.net/blog/mitigating-cve/
Hopefully this is useful to folks and helps provide some guidance on how to protect yourselves against such a vulnerability.