Hello! You may have heard about the recent log4j2 vulnerability that has been plaguing much of the internet, particularly Minecraft. If you haven't heard, this exploit is quite nasty and could be used to spread viruses to your computer through a simple chat message. (That sounds like fearmongering/overreacting, but it's real.) This exploit was first discovered on December 9th, 2021. Please read this gist in full to get the information you need to keep yourself safe!
If you're a Minecraft player who wants to play multiplayer once again, but you aren't sure if you're safe from the exploit or not, here's a few things you can do to ensure you are safe.
Please note, this vulnerability only affects Minecraft Java Edition. If you play on Minecraft Bedrock edition, you should have nothing to worry about.
If you'd like to know more about this vulnerability, view Mojang's post about this exploit and how to keep yourself safe here. I've written this guide so as to go into a bit more detail about third-party launchers and modded minecraft clients- Mojang's blog post only covers what vanilla players need to know.
The Vanilla launcher, both the independent app and the microsoft store version, will automatically patch the vanilla .jar files of every affected Minecraft version when you launch the game. If you use Forge, Fabric, or Optifine, it may not automatically apply the patches to these installations, however. If you use the old (2016 or earlier) Minecraft launcher, it is unknown if this will apply patches to the vanilla .jar files automatically. You should update to the newer Minecraft launcher, just in case.
From my testing, I was able to launch old profiles of Fabric, Forge, and Optifine, and could not get the exploit to work in any of them. But, there's no way to be sure unless you update. If you're using a modded client, scroll down for more details.
If you are using the MultiMC launcher, you should read this statement that the developers of MultiMC wrote about how they've mitigated the Log4j2 vulnerability.
MultiMC will force Minecraft to use a patched log4j2 file, and prevent any mods from bundling unsafe versions of it. Essentially, they've nigh-guaranteed that you will be safe from this exploit, unless you are running a "customized version". The announcement linked previously explains what this means, if you're confused. Still, you should update your modloader/mods regardless!
If you're someone who uses Lunar Client, I've read from various places (reddit, discord) that the Lunar developers have patched this exploit within their client. I can't find any first-source accounts stating this, so if you want to be sure, I suppose you have to join their discord server where they made this announcement.
This news post from the developers details how they went about fixing the exploit. Crucially, it notes that the exploit is only patched in the latest build of the launcher, which means that if you are using any build of the Technic Launcher prior to build#707, you are vulnerable to this exploit. You should update the launcher ASAP to ensure you don't forget about it later.
According to their website, the latest version of the ATLauncher will automatically patch the exploit on any installations launched through it. Please download the latest version of the launcher (3.4.10.8 at time of writing) to receive the patch. You will not be protected from this exploit until you update the launcher! So, please update ASAP to ensure you don't forget about it later.
On the issues page of their github, there is a closed issue that discusses the log4j2 exploit. The latest release of GDLauncher (v1.1.18 at time of writing) has a fix for the exploit. Please note: You will not be protected from this exploit until you update the launcher! So, please update ASAP to ensure you don't forget about it later.
I can't seem to find much information on these launchers. It was difficult even finding the correct download page for them! I'm too lazy to download and test them myself- considering that their primary purpose isn't even for Minecraft, I would treat these launchers with caution, and consider any Minecraft profile created under them to be susceptible to this exploit. If I'm wrong, please let me know.
This seems like a launcher for people who have pirated the game. This one will probably try to give you viruses even if it has the log4j2 thing patched. No thanks.
I'm unsure- but I think badlion client may no longer be supported? I'm not very familiar with this world of custom "clients" with baked-in mods. It seems like Lunar client is more popular these days, anyway.
I'm unsure of what other popular launchers/clients are out there- I mostly stick to the vanilla launcher. Please leave a comment if you use another launcher, or know of any other popular launchers I should include here.
Every version of Vanilla Minecraft (Java Edition) from release 1.7 to 1.18 is susceptible to this exploit. Versions older than 1.7 are not susceptible to it, and Minecraft 1.18.1 is patched inherently. If you download any of the affected versions fresh from Mojang, you will receive a patched version that is not susceptible to this exploit. By default, the vanilla launcher will try to download patches for the version of minecraft you're playing, unless you're playing in offline mode. Please see the "launchers" section if you're unsure if your launcher will automatically apply patches or not. I will repeat this part: If you are playing on any version of Minecraft 1.18.1 or later, you are inherently safe from this exploit and have nothing to fear.
If you launch Minecraft with Optifine installed (and only Optifine) from either the Vanilla launcher or the MultiMC launcher, you should receive the patch that keeps you safe, assuming you launch it in online mode. If you want to be extra sure, you can launch vanilla minecraft for the version you're trying to play, then run the optifine installer again to install optifine on the freshly patched vanilla .jar.
If you launch Minecraft with the Fabric Modloader installed from either the Vanilla launcher or the MultiMC launcher, you should receive the patch that keeps you safe, assuming you launch it in online mode. If you want to be extra sure, simply updating to the latest Fabric modloader version (0.12.11) for your minecraft version of choice will patch the exploit inherently. You should do this anyways, but if you're feeling lazy the minecraft launcher should have your back. If it were me, I'd want to make sure, though.
I am not as familiar with Forge these days, as I use the fabric modloader now. However, if you download the most recent version of Forge for your minecraft version of choice (only for 1.12+), you should be safe from this exploit. I did attempt to launch an old Forge 1.8.8 installation, and I could not get the exploit to work. However, I am not certain if this was simply a fluke, or if the vanilla launcher protected me somehow. The vanilla launcher did seem to download an .xml file, perhaps this file was the one that patched the game. Your mileage may vary.
Liteloader has not been updated since Minecraft 1.12.2, and as far as I'm aware is unsupported at this point. I have no way of knowing if Liteloader installations will be patched properly by the launcher or not, please let me know if you have any insight on this.
The rift modloader was a modloader that only really existed during the awkward transition from the "pre-flattening" and "post-flattening" Minecraft versions. Once fabric hit the scene for Minecraft 1.14, there was no more need for Rift, and thus it never gained any traction. If you need to play using mods on 1.13 (for some reason) and Forge isn't your jam, then Rift is the only other real option. I tried launching my old Rift 1.13.2 profile, and I couldn't seem to get the exploit to work here, either. Again, it may be a fluke, so I'm not really sure. But, there's probably no one reading this who this is relevant to, I just wanted to put it here for completion's sake.
I might edit/tweak this section later, but just as a brief overview:
Realms: If you are playing on realms you are safe from this exploit. Realms are always kept up-to-date with the latest Minecraft version, and the latest version is 1.18.1 which is already patched.
Vanilla: Your vanilla minecraft server will not automatically patch itself. Follow the instructions in Mojang's announcement if you're running any Minecraft version prior to 1.18.1.
Bukkit/Spigot: Run your buildtools again as instructed on the Spigot forums, it should generate a safe build of Spigot for you. Also, consider switching to Paper.
PaperMC/Tuinity: If you're running Paper versions 1.16.5, just update to the latest version available. If you're running Paper 1.15.2 or earlier, you can follow the instructions in Mojang's announcement post about the exploit to protect your server. If you're using Tuinity, update to Paper, as the projects have merged.
Forge: Update to the latest forge version for the version of Minecraft you are playing on. Forge servers from 1.7 - 1.11 are likely vulnerable to the exploit, proceed with caution.
Fabric: Update your server to Fabric version 0.12.11 or later.
Sponge Vanilla: There is a hotfix available here for the Sponge Vanilla server. If you are using SpongeForge, simply update Forge.
There may be some launchers, clients, modloaders, and server software I forgot to mention here. I tried to mention as many popular clients/launchers as I could, but I likely missed some.
If you'd like to test your client for this exploit, I have set up a simple Minecraft server you can join to test it. Join log4check.4sheep.co in Minecraft (any version 1.12.2+), and the server will kick you after a moment and inform you if you are vulnerable to the exploit or not. This server is just my own instance of this little project: https://github.com/ejm/log4check, so you can review the code there if you're worried. I am running it on a personal VPS I own & have properly secured, so there should be no cause for concern.
Please leave a comment if a prominent launcher/client/server software that you know of is not included here, or if you have additional info on any of these. If you have any questions, feel free to send me an ask, or you may DM me on twitter here. Hope this helped!