Swedish video game developer Mojang Studios has released an emergency security update for Minecraft to address a critical bug in the Apache Log4j Java logging library used by the game’s Java Edition client and multiplayer server.
This vulnerability has been fixed in the Java Edition 1.18.1 release and is distributed to all users.
This release fixes a critical security issue with the multiplayer server, changes the way world fog works to give you more visibility into your world, and fixes a few other bugs.
If you are running a multiplayer server, we strongly recommend that you upgrade to this version as soon as possible.
A patch has been applied to all versions of the game client to address this vulnerability, but the following steps must be taken to protect the game and server.
For the official game client
If you are playing Minecraft, Java Edition, but not hosting your own server, you will need to follow these steps.
Close all running games and instances of Minecraft Launcher. When you launch the Launcher again, it will automatically download the patched version.
For customized clients and third party launchers
Customized clients and third party launchers may not be automatically updated.
In such cases, we recommend that you follow the advice of a third party provider.
If the third party provider has not patched the vulnerability or stated that it is safe to play, then we assume that the vulnerability has not been fixed and you are taking a risk by playing.
For Game server
If you are hosting your own Minecraft.Java Edition server, you will need to take different steps to secure it, depending on the version you are using.
1.18: Upgrade to 1.18.1 if you can. If you cannot upgrade, use the same method as for 1.17.x.
1.17: Please add the following JVM arguments to the command line at startup.
-Dlog4j2.formatMsgNoLookups=true
1.12-1.16.5: Download this file to the working directory where your server is running. Then add the following JVM arguments to the command line at startup
-Dlog4j.configurationFile=log4j2_112-116.xml
1.7-1.11.2: Download this file to the working directory where your server is running. Then add the following JVM arguments to the command line at startup
-Dlog4j.commercialFile=log4j2_17-111.xml
This does not affect versions prior to 1.7.
Vulnerability to actively use remote code execution
This bug is tracked as CVE-2021-44228 and is referred to as Log4Shell or LogJam.
This bug is a remote code execution (RCE) flaw found in Apache Log4j, a Java-based logging library, and was reported by the Alibaba Cloud security team.
This flaw affects the default configuration of several Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, which are used in countless enterprise software products from Apple, Amazon, Cloudflare, Twitter, Steam, and others. It affects the default configuration of the Apache framework.
The attackers have already scanned the Internet for large numbers of vulnerable systems and are actively exploiting them in the real world, according to a CERT NZ security advisory.
Apache has already released Log4j 2.15.0, which addresses this maximum severity vulnerability, and CVE-2021-44228 can be exploited in earlier releases (2.10 and later) by setting the system property “log4j2.formatMsgNoLookups” to ” In previous releases (2.10 and later), CVE-2021-44228 can still be prevented by setting the system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath.
Security firm Lunasec highlights the seriousness of the CVE-2021-44228 attack
Many services are vulnerable to this exploit; cloud services such as Steam and Apple iCloud, as well as apps such as Minecraft, have already been found to be vulnerable.
If you’re using Apache Struts, you’re probably vulnerable. Similar vulnerabilities have been exploited before, in information breaches like the 2017 Equifax data breach
.
Comments