PSA: Security Exploit for Minecraft: Java Edition

Please read for full information and to keep up to date. This article is constantly updating. Last Update: Dec 10th 2021 14:31 UTC

 

 

PSA: There is a critical security exploit that affects Minecraft: Java Edition, and can make you vulnerable to undesirable consequences. If you have the game running, please shut down all running instances of the game and Launcher and restart - your Launcher will automatically download the fix. Until the issues has been fixed, we advise you to not play on any versions of Minecraft earlier than 1.12 right now.

 

https://twitter.com/slicedlime/status/1469150993527017483

 

We've now released patches for all affected clients. If you have any running game instances, close them, close the Launcher and restart again (yes, even if you did it before - do it again now).

https://twitter.com/slicedlime/status/1469277537490677766

 

 

Players:

If you use the vanilla launcher, restart it to apply the fix. This fix ONLY works for vanilla launchers and vanilla Minecraft installations. It does not work for modded clients or launchers. This fix applies for 1.6.3 onward, which is for all affected versions

Update to 1.18.1.

Forge has released a fix for 1.12 and newer. Download the installers from https://files.minecraftforge.net

Fabric has indicated that 0.12.9+ versions have been patched with a fix.

CurseForge indicates they are partly fixed if you are not using the debug logging. However, enabling debug logging will expose you to the exploit.

 

 

Server Owners:

Same list as above applies.

Spigot server owners can refer to https://www.spigotmc.org/threads/spigot-security-releases-—-1-8-8–1-18.537204/

Sponge has pushed a partial fix to their latest 1.12.2 version, however it is not a complete fix.

Paper has pushed out fixed versions. https://papermc.io/downloads

 

 

https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition

 

Official game client 

If you play Minecraft: Java Edition, but aren’t hosting your own server, you will need to take the following steps: Close all running instances of the game and the Minecraft Launcher. Start the Launcher again – the patched version will download automatically.  

Modified clients and third-party launchers  

Modified clients and third-party launchers might not be automatically updated. In these cases, we recommend following the advice of your third-party provider. If the third-party provider has not patched the vulnerability, or has not stated it is safe to play, you should assume the vulnerability is not fixed and you are at risk by playing.

Game Server 

If you’re hosting your own Minecraft: Java Edition server, you'll need to take different steps depending on which version you’re using, in order to secure it.

  • 1.18: Upgrade to 1.18.1, if possible. If not, use the same approach as for 1.17.x:

  • 1.17: Add the following JVM arguments to your startup command line: 
    -Dlog4j2.formatMsgNoLookups=true

  • 1.12-1.16.5: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line: 
    -Dlog4j.configurationFile=log4j2_112-116.xml

  • 1.7-1.11.2: Download this file to the working directory where your server runs. Then add the following JVM arguments to your  startup command line: 
    -Dlog4j.configurationFile=log4j2_17-111.xml

  • Versions below 1.7 are not affected

12

Comments

  • To post a comment, please .
Posts Quoted:
Reply
Clear All Quotes