Researchers discovered a vulnerability affecting Java versions of Minecraft that allows criminals to run malicious code on servers and end-user devices running the hugely popular game, several websites. The underlying vulnerability, which resides in log4j, a logging utility built into some of the most widely used development frameworks on the internet, while ensuring that Minecraft isn’t the only major app to be affected.
The Spigot Game Forum noted that Minecraft versions 1.8.8 to the latest version 1.18 are all vulnerable, as are other popular game servers such as Wynncraft. Hypixel game server and news site, meanwhile, urged Minecraft players be very carefully.
Replicating exploits for this vulnerability is not straightforward as success depends not only on which version of Minecraft is running, but also which version of the Java framework the Minecraft application is running on. It seems older versions of Java have less built-in security protections that make it easier to exploit.
The addition of the JVM flag -Dlog4j2.formatMsgNoLookups=true neutralizes the threat for most Java versions. Spigot and many other services have already inserted the flag in the games they make available to users.
The code that makes this vulnerability possible resides in Log4j, which is incorporated into popular frameworks including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. This means that a dizzying number of third-party apps can also be vulnerable to exploits that have the same high severity as those that threaten Minecraft users.
One of the only sources to provide a tracking number for the vulnerability was GitHub, which reported it to be CVE-2021-44228. The Apache Foundation has not yet disclosed the vulnerability, although this page recognizes the recent correction of a serious vulnerability.
Users should pay close attention to this vulnerability and its potential to trigger high-impact attacks against a wide variety of applications and services. For Minecraft users, this means avoiding unknown servers or untrustworthy users. For users of open-source software, this means checking whether it relies on Log4j or Log4j2 for logging.