This week, an exploit has been found in a very popular logging library Log4j 2, used by many Java applications including Minecraft. Unfortunately, the severity of this exploit makes it really important for us to bring your attention to it, and provide steps so that you can protect yourself and your players. You can find some more information in the detailed blog post over on minecraft.net.
For those more technically inclined, you can find full information about this vulnerability in the linked CVE. Essentially though, with the right set of circumstances, this vulnerability allows a malicious actor to at a minimum lock up and/or crash your server, kicking all players, and at worst, execute arbitrary code both on the server and any unpatched connected clients (known as an RCE). It's the second part that makes this such a serious issue, and why many public servers were shut down yesterday to ensure the safety of their players.
Update: As of December 14th, a second CVE (CVE 2021-45046) was published for an updated version of Lof4j that was released to fix the first issue. At this time, there is no evidence to suggest that this CVE impacts Minecraft, but the patches we have implemented (as described below) for all Nodecraft customers would prevent the issue either way. It's likely we'll be seeing more CVEs related to Log4j over the coming days and weeks, as the security community reviews its codebase and changes. We will continue to monitor the situation and implement any necessary patches to keep our customers and community safe.
What do I need to do?
There are a few things that you can do to ensure you are protected from this exploit. There are different things needed between the server and client, so we'll cover both here. When we refer to the "client", we're talking about how you run Minecraft on your own computer, through the Official Minecraft launcher or other launcher. When we refer to the "server", we'll talking about how you run the Minecraft server jar, such as through a hosting provider such as ourselves.
Mojang have released manifest updates for their launcher, so as long as you have the latest version of the launcher and restart it, your client should be automatically patched. If you are using a third-party launcher such as ATLauncher, MultiMC, etc. you will need to ensure these launchers have been patched before we'd recommend joining any public servers. As of December 10th 2021, ATLauncher, MultiMC, and the FTB Launcher (via Overwolf) have been patched for this exploit. For all other launchers, please refer to their respective communities and updates for information.
If you are a Nodecraft customer, you do not need to do anything except restart your server. We have rolled out a global patch for all affected Minecraft versions. To verify your server has been patched, you should see some console lines near the top of your console that look something like this:
[Log4jPatcher] [INFO] Transforming org/apache/logging/log4j/core/lookup/JndiLookup [Log4jPatcher] [INFO] Transforming org/apache/logging/log4j/core/pattern/MessagePatternConverter
The exact output may differ slightly between versions, due to different log4j versions being used. And may not appear at all for older Minecraft versions.
If you need manual instructions to patch your server, please continue reading below.
Patching the server can be a little more difficult depending on the version of Minecraft you're running, but we're working to make this as easy as possible for all Nodecraft customers. Generally, to ensure your server is patched, you will simply need to run the latest version of the server software you are using that is confirmed patched.
If you can, update your server to Minecraft version 1.18.1, where this exploit is patched.
For some older versions that likely won't receive patches however, please carefully read the information below to determine what (if anything) you need to do. If there is no fix available for the version of Minecraft you are running, we can only recommend that you update your server, or do not run it until a fix is available. We are running the latest available Java versions which do make this exploit much harder to execute, but it's still possible to exploit.
If you are running Minecraft Vanilla (official) version 1.17 or higher, simply add
-Dlog4j2.formatMsgNoLookups=true to your JVM arguments.
Vanilla 1.12 - 1.16.5
To patch these versions, you will need to download this file (right click -> save link as) to the working directory where your server runs - the root
/ directory in your file manager. Then add the following JVM arguments to your startup command line:
-Dlog4j.configurationFile=log4j2_112-116.xml. In the Nodecraft control panel, you would add this to your
Game Settings -> Java Settings -> Java Command Arguments.
Vanilla 1.7 - 1.11.2
To patch these versions, you will need to download this file (right click -> save link as) to the working directory where your server runs. Then add the following JVM arguments to your startup command line:
Spigot (etc.) 1.8+
If you are running a Bukkit derivative such as Spigot, Paper, etc. there are patched versions out for many of these, so we'd recommend updating your server ASAP to ensure you are protected. If there is no patched version available, you will need to follow the same instructions as the respective Vanilla versions above.
Modded 1.7 - 1.16.5
Minecraft Forge has patched versions available for 1.12.2 and above, so you should simply need to update your Forge version to be secure. Fabric also has patched versions for most Minecraft versions now available. For any unpatched versions (or if you can not update for some reason), the instructions included above for respective Vanilla versions will generally work for any modded servers too.
Modpacks may not be patched for this vulnerability even after all patches for Forge, Fabric etc. are released. To ensure your server is patched for this on older modpacks, you will need to follow the Vanilla instructions above for your applicable version, and add the patched log4j configuration file and startup argument.
Anything below 1.7
All Minecraft versions below 1.7 are unaffected and you do not need to perform any patches.
Our friends over at CreeperHost have released a Java Agent based mitigation for the exploits detailed in this blog post. You can find more information about this on their GitHub, including details to add this to your server as another mitigation method if the instructions above aren't available for your particular version.
We'll be monitoring this situation as it develops over the coming days and weeks, and encourage you to use extreme caution when playing multiplayer Minecraft in the near future, especially if playing on public or untrusted servers. Please as always do reach out to our support team if you have any questions and we will do our best to assist in any way that we can.