In response to a published vulnerability in the Apache Log4j Java-based logging library used by Minecraft, Mojang today released Minecraft Java Edition 1.18.1. The vulnerability is documented under CVE-2021-44228 and nicknamed “Log4Shell”. It affects applications using versions of log4j prior to 2.15.0. Mojang published an article that described steps to take depending on the version of Minecraft running.
- Minecraft Vanilla has been patched to 1.18.1 to protect against the vulnerability.
- Minecraft RAD has been updated with an XML file, and configuration changes made to JVM startup, to protect against the vulnerability.
Thank you to Mojang for responding quickly to the published security issue.
There are a few generic changes that can be applied to other software to protect againt the exploit:
- Update log4j to version 2.15.0.
- Update Java to version 8u121 – this defaults certain values to “false” to protect against remote code execution.
- Set the log4j2.formatMsgNoLookups=True in Java arguments on application startup.