Just posting it here for awareness for people who run their own Minecraft servers. Like we do
Security vulnerability in Java Edition
================================================== =======
There is a vulnerability in Log4j. This is a common Java logging library. This exploit affects many services including Minecraft Java Edition.
Follow these steps to secure your server.
- 1.18: Upgrade to 1.18.1, if possible. If not, use the same approach as for 1.17.x:
- 1.17: Add the following JVM arguments to your startup command line:
-Dlog4j2.formatMsgNoLookups=true
- 1.12-1.16.5: Copy log4j2_112-116.xml to the working directory where your server runs. Then add the following JVM arguments to your startup command line:
-Dlog4j.configurationFile=log4j2_112-116.xml
- 1.7-1.11.2: Copy log4j2_17-111.xml to the working directory where your server runs. Then add the following JVM arguments to your startup command line:
-Dlog4j.configurationFile=log4j2_17-111.xml
- Versions below 1.7 are not affected
Because of the custom server scripts that we use, I had to include the full path to the .xml files. So in our case it's:
-Dlog4j.configurationFile=/path/to/log4j2_112-116.xml
and
-Dlog4j.configurationFile=/path/to/log4j2_17-111.xml
The exploit is very simple to use. No hacked clients or anything like that are needed. Just type something in chat and boom: your server is now part of a botnet or mining crypto currency.
Keep your Minecraft servers safe
vBulletin Message