Mitigating CVE-2021-44228/Log4Shell in Minecraft

THIS PATCH ALSO MITIGATES CVE-2021-45046

TL;DR; Go to CreeperHost/Log4jPatcher (github.com) if you're worried and follow the instructions; it won't hurt even if your version is already patched.

Good Morning,

We, and I imagine everyone in the MC community wishes this post was hailing from a better place, but this is where we are.

A CVE was released, which, while its attack vector in Minecraft seems limited chiefly to crashes, it could extend to RCE if a vulnerable library is used; it's also possible there could be vulnerabilities in specific JRE versions or undiscovered vulnerabilities in libraries already used.

As such, we should assume the RCE (Remote Code Execution) is already available or will be soon.

While this is not a significant concern to us as a whole, as we containerise every customer's server meaning nobody else's server could be impacted, there is still an attack vector, and other community members are still much more vulnerable - What is bad for the community, is terrible for us.

There is a simple command-line argument available for essential mitigation "-Dlog4j2.formatMsgNoLookups=true"; however, this argument only works in l4j2 version 2.10.0+, which is only included in Minecraft versions 1.17 and above.

To mitigate this in older versions, we've created a java agent; this gets loaded as an extra argument at launch time.

Java agents are primarily used for instrumentation/profiling; Class transformers are pretty standard, so we've made use of this to essentially "nuke" the jndi handler in log4j2, removing any possibility of exploitation.

We will maintain this unofficial patch and respond to any further disclosures for this issue indefinitely.

License is MIT, source and release available at CreeperHost/Log4jPatcher (github.com)

Minecraft 1.18.1 and Forge/Fabric/Paper versions released on or after the 10th December 2021 should be free of this vulnerability and will not require any action.

Modpacks may not be free of this vulnerability even if released after the above date; ensure your chosen launcher/app applies a security patch, we can confirm the FTB App has been patched in development and will be released today.

If anyone finds any cases where this patch does not work, please contact us or issue a PR.

Update @ 1pm GMT: Mojang have rolled out updates by changing the Log4j configuration files - While this will fix any issues for launchers/apps using the official Mojang launcher, any custom launchers or systems which provide their own Log4j configuration files may still be vulnerable. This patch ensures they are not.