Having been released over 9 years ago, Minecraft 1.7.10 is no longer officially supported, which means it is up to the users to mitigate security vulnerabilities.
I cannot guarantee this list is complete or accurate, this is just a compilation of what I have learned.
Date discovered: 2021-12-10
Severity: Allows remote code execution.
Affected: Potentially anyone running a server or connecting to one, even in vanilla.
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Mitigation:
- MultiMC and its derivatives automatically use a patched version of Log4J to fix the issue
- CreeperHost's Log4jPatcher is a Java agent that can be used on servers.
- The following mods mitigate the issue:
- FoamFix (CurseForge | Modrinth | GitHub)
- Healer (CurseForge | Modrinth | GitHub)
- JDK versions greater than
8u191are partially invulnerable, but it is still recommended to seek a more complete solution.
Date discovered: 2022-10-27
Severity: Allows restricted remote file access, and by extension, remote code execution.
Affected: Servers running BiblioCraft.
Details: https://github.com/Exopteron/BiblioRCE
Mitigation:
- CreeperHost's java agent can be used on servers.
- The following mods mitigate the issue:
- FoamFix (CurseForge | Modrinth | GitHub)
Date discovered: 2023-07-29
Severity: Allows remote code execution on clients and servers (and therefore all connected clients on a server).
Affected: Servers running vulnerable mods and players connected to them.
Details: https://github.com/dogboy21/serializationisbad
Mitigation:
- The following mods mitigate the issue:
- SerializationIsBad (CurseForge | Modrinth | GitHub)
- PipeBlocker (CurseForge | Modrinth | GitHub)
- "only works on [1.7.10 and 1.12.2] and has some known limitations/issues which may not be addressed (it will not work on the old version of Java provided by the CurseForge & Mojang launchers, for example)." - embeddedt, 2023-08-03