A newly discovered vulnerability is now posing a huge threat towards Java versions of Minecraft, making it possible to execute malicious code on servers as well as end-user devices that are playing the popular game. The vulnerability was found in Log4j, a logging utility that is built into most of the widely used frameworks on the internet.
Minecraft Version 1.8.8 and Up Vulnerabilities
As of the moment, there were several reports of servers performing internet-wide scans to try and locate vulnerable servers. With that, the gaming forum Spigot said that Minecraft version 1.8.8 up to the most current 1.18 release are all vulnerable.
Aside from Spigot, Wynncraft is also reportedly affected by the vulnerability as well. Due to the potentially dangerous vulnerability, Hypixel, a gaming server and news site, urged Minecraft players to be extra careful.
Built-in Security Protections
According to the story by ArsTechnica, reproduction of the exploits for the particular vulnerability isn't straightforward due to the success directly depending not just on the Microsoft version running but rather the version of the Java framework that the game is running on top of it.
As of the moment, it looks like the older Java versions all have fewer built-in security protections making exploits much easier. Spigot, as well as other sources, stated that adding the JMV flag "-Dlog4j2.formatMsgNoLookups=true" will help neutralize the threat for a lot of Java versions.
Spigot, as well as other services, have already been able to insert the flag directly into the games in order to make them easily available for users. In order to add the flag, users should follow the steps below.
@GreyNoise is currently seeing 2 unique IP's scanning the internet for the new Apache Log4j RCE vulnerability (No CVE assigned yet).— remy🐀 (@_mattata) December 10, 2021
A tag to track this activity on https://t.co/QckU3An40q will be made available shortly and linked as a reply when released.
How to Fix Vulnerability in Older Java Versions:
1. Go to Launcher
2. Open the Installations Tab
3. Select the installation in use and click on the "..."
4. Click on "Edit"
5. Choose "MORE OPTIONS"
6. Paste this: -Dlog4j2.formatMsgNoLookups=true at the end of the JMV flags
Minecraft Vulnerability Towards Malware
As per the publication, this should help at least cover up the vulnerability making it harder for malware to penetrate Minecraft (and potentially other app) users that use the vulnerable Java version.
As earlier stated, the code that makes the vulnerability possible is located in Log4j, which is already incorporated into a number of popular frameworks like Apache Solr, Apache Struts2, Apache Druid, and also Apache Flink.
This means that a pretty dizzying number of other third-party apps could also be vulnerable to exploits carrying similar or the same high severity as the ones threatening Minecraft users. Cyber Kendra, a security firm, reported that a Log4j RCE Zero day was dropped on the internet, saying there are a lot of popular systems on the market that remain affected.
This article is owned by Tech Times
Written by Urian B.