[German]Users who use the Minecraft game, which belongs to Microsoft, urgently need to update its client, which is written in JAVA. The background is that the log4j vulnerability CVE-2021-44228 also makes Minecraft servers vulnerable via Minecraft clients. The developer of Minecraft, Mojang, already announced this in a blog post over the weekend.
The log4j vulnerability CVE-2021-44228
I had already pointed out the issue on December 10, 2021 in the blog post 0-day CVE-2021-44228 in Java library log4j puts many projects at risk. In the Java library log4j used for logging, there is a critical vulnerability in the JNDI lookup function that allows attackers to inject and execute remote code. The JNDI lookup function of log4j allows variables to be retrieved via the JNDI – Java Naming and Directory Interface. If an attacker writes malicious code in the form of a URL to the log file, the JNDI directory service then contacts the LDAP server listed in the log to request data from it. This can also include Java classes, which are then executed. If an attacker succeeds in specifying the URL to a server he controls in the log file, he can hijack a server via logging (Log4Shell).
Since a proof of concept (PoC) for the remote code execution vulnerability in log4j was published on December 9, 2021, the IT world has been upside down. US CISA warns (see) that this is the biggest vulnerability of the year, threatening hundreds of millions of devices and programs. This includes the game Minecraft with its servers and the JAVA Minecraft clients used by users.
Mojang: Urgently update Minecraft
In an important security advisory on minecraft.net and also in the following tweet, the developer Mojang advises its users to urgently update the Minecraft JAVA client for security reasons (I had already briefly mentioned the update in the post 0-day CVE-2021-44228 in Java library log4j puts many projects at risk).
Mojang's post states that the Log4j vulnerability affects many services – including Minecraft Java Edition. This vulnerability poses a potential risk of players' computers being compromised. Although this vulnerability has been fixed with a patch for all versions of the game client, users still need to take the following steps to protect the game and servers.
- Those who play Minecraft with the Java Edition but do not host their own server must close all running instances of the game and the Minecraft launcher. After that, the launcher should be restarted – the patched version will be downloaded and used automatically.
- Those who use modified clients and third-party launchers may not receive an automatic update. The recommendation is to follow the advice of the third-party provider in question. If the third-party provider has not patched the vulnerability or does not state that the game is safe, you should assume that the vulnerability is not fixed and you are taking a risk when playing – so stay away from Minecraft until this is resolved.
People who host their own Minecraft: Java Edition server will have to secure it themselves. Mojang states that an upgrade to the Java package is required. Here are the details:
- 1.18: Upgrade to 1.18.1, if possible. If not, use the same approach as for 1.17.x:
- 1.17: Add the following JVM arguments to your startup command line: -Dlog4j2.formatMsgNoLookups=true
- 1.12-1.16.5: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line: -Dlog4j.configurationFile=log4j2_112-116.xml
- 1.7-1.11.2: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line: -Dlog4j.configurationFile=log4j2_17-111.xml
- Versions below 1.7 are not affected
The developer states that versions below 1.7 are not affected. But here I am not sure if the developer is really sure. Initially it was said that older versions of the library were not vulnerable. But yesterday I saw the following tweet on Twitter, which at least suggests that older versions can also be attacked.
Here, I would either update the Minecraft server accordingly or temporarily shut it down until this is finally resolved.
0-day CVE-2021-44228 in Java library log4j puts many projects at risk
log4j vulnerability CVE-2021-44228: Patch your Minecraft
VMware products threatened by log4j vulnerability CVE-2021-44228
Cookies helps to fund this blog: Cookie settings