Please read for full information and to keep up to date. This article is constantly updating. Last Update: Dec 10th 2021 14:31 UTC
PSA: There is a critical security exploit that affects Minecraft: Java Edition, and can make you vulnerable to undesirable consequences. If you have the game running, please shut down all running instances of the game and Launcher and restart - your Launcher will automatically download the fix. Until the issues has been fixed, we advise you to not play on any versions of Minecraft earlier than 1.12 right now.
https://twitter.com/slicedlime/status/1469150993527017483
We've now released patches for all affected clients. If you have any running game instances, close them, close the Launcher and restart again (yes, even if you did it before - do it again now).
https://twitter.com/slicedlime/status/1469277537490677766
Players:
If you use the vanilla launcher, restart it to apply the fix. This fix ONLY works for vanilla launchers and vanilla Minecraft installations. It does not work for modded clients or launchers. This fix applies for 1.6.3 onward, which is for all affected versions
Update to 1.18.1.
Forge has released a fix for 1.12 and newer. Download the installers from https://files.minecraftforge.net
Fabric has indicated that 0.12.9+ versions have been patched with a fix.
CurseForge indicates they are partly fixed if you are not using the debug logging. However, enabling debug logging will expose you to the exploit.
Server Owners:
Same list as above applies.
Spigot server owners can refer to https://www.spigotmc.org/threads/spigot-security-releases-—-1-8-8–1-18.537204/
Sponge has pushed a partial fix to their latest 1.12.2 version, however it is not a complete fix.
Paper has pushed out fixed versions. https://papermc.io/downloads
https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
Official game client
If you play Minecraft: Java Edition, but aren’t hosting your own server, you will need to take the following steps: Close all running instances of the game and the Minecraft Launcher. Start the Launcher again – the patched version will download automatically.
Modified clients and third-party launchers
Modified clients and third-party launchers might not be automatically updated. In these cases, we recommend following the advice of your third-party provider. If the third-party provider has not patched the vulnerability, or has not stated it is safe to play, you should assume the vulnerability is not fixed and you are at risk by playing.
Game Server
If you’re hosting your own Minecraft: Java Edition server, you'll need to take different steps depending on which version you’re using, in order to secure it.
-
1.18: Upgrade to 1.18.1, if possible. If not, use the same approach as for 1.17.x:
-
1.17: Add the following JVM arguments to your startup command line:
-Dlog4j2.formatMsgNoLookups=true -
1.12-1.16.5: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line:
-Dlog4j.configurationFile=log4j2_112-116.xml -
1.7-1.11.2: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line:
-Dlog4j.configurationFile=log4j2_17-111.xml -
Versions below 1.7 are not affected
Why is there no official information if MC 1.18.1 is vulnerable to the second CVE-2021-45046?
This new CVE was discovered 4 days after this statement, and it was just upgraded to severity 9 (limited remote execution).
And why did you delete the Tickets in Jira corresponding that new issue?
If MC is not vulnerable to this new CVE, then please close the ticket and make a statement. But deleting the ticket completely with zero information?
What kind of shadowy behaviour is that?
I am lucky for not seeing any trace or being affected by this exploit. I didn't even hear about it until a couple days ago. Wow.
I luckily heard of it when it happened thanks to direwolf20
Dang
1.18.1 it is.
Hello - Minecraft (the java client) is still being flagged as vulnerable when I use this Log4j scanner:
https://github.com/mergebase/log4j-detector#itemapi
It looks like Minecraft uses version 2.14.1 of Log4j, and this version is flagged as vulnerable. Long story short is that I have to delete Minecraft unless it can pass this scanner. Is there any way to configure Minecraft to use a later version of log4j? I believe Mojang's fix for the vulnerability was to turn off some features log4j 2.14.1, but it would be much better if they just used a non-vulnerable version.
MinecraftHey guys come with me let's have fun with Minecraft but it's only 1 Sphere.