A recently discovered vulnerability affecting Java versions of Minecraft makes it possible for criminals to run malicious code on end-user devices and servers running the popular game, multiple websites said Thursday.
And as if a vulnerability of this magnitude in the world’s best-selling game wasn’t serious enough, the breadth and immediacy of the bug could be even worse. The exploit code is available for the underlying vulnerability, which resides in log4j, a logging utility that is built into some of the most widely used development frameworks on the internet, ensuring that Minecraft isn’t the only major application that will be affected.
Report servers are already running Internet scans in attempts to locate vulnerable servers.
@GreyNoise you are currently seeing 2 unique IPs scanning the internet for the new Apache Log4j RCE vulnerability (no CVE assigned yet).
A tag to track this activity https://t.co/QckU3An40q will be available shortly and will be linked in response when published.
– remy🐀 (@_mattata) December 10, 2021
What it means for Minecraft
The Spigot game forum said that Minecraft versions 1.8.8 up to the latest version 1.18 are all vulnerable, as are other popular game servers like Wynncraft. The game server and news site Hypixel, meanwhile, urged minecraft players take special care.
“The problem may allow remote access to your computer through the servers you log in to”Wrote the representatives of the site. “That means that any public server you access creates a risk of being hacked.”
Reproduction of exploits for this vulnerability is not straightforward because success depends not only on the version of Minecraft that is running, but also on the version of the Java framework that the Minecraft application is running on. It appears that older versions of Java have fewer built-in security protections that facilitate vulnerabilities.
Spigot and other sources have said that adding the JVM flag
-Dlog4j2.formatMsgNoLookups=true neutralizes the threat for most versions of Java. Spigot and many other services have already inserted the flag in the games that they make available to users.
To add the flag, users must go to their launcher, open the installations tab, select the installation in use and click “…”> “Edit”> “MORE OPTIONS”, and paste
-Dlog4j2.formatMsgNoLookups=true at the end of the JVM flags.
What it means to others
As noted above, the code that makes this vulnerability possible resides in Log4j, which is built into popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. That means a dizzying number of third-party apps can also be vulnerable to exploits that are as serious as those that threaten Minecraft users.
“The Minecraft side looks like a perfect storm, but I suspect we’ll see affected apps and devices continue to be identified for a long time,” said HD Moore, founder and CTO of network discovery platform Rumble. “This is a big problem for older Java runtime-linked environments: web interfaces for various network devices, older application environments using legacy APIs, and Minecraft servers, due to their dependency on older versions for the mod compatibility “.
At the time this post was published, not much was known about the vulnerability. One of the only sources that provided a tracking number for the vulnerability was Github, which it said is CVE-2021-44228. Security firm Cyber Kendra reported Thursday night a Log4j CERD day zero posted on the Internet and agreed with Moore that “there are currently many popular systems on the market that are affected.”
Cyber Kendra said that in November the Alibaba Cloud security team disclosed a vulnerability in Log4j2, the successor to Log4j, that arose from recursive analytics functions, which attackers could exploit by constructing malicious requests that triggered remote execution. of code. The company strongly urged people to use the latest version of Log4j2 available here.
The Apache Foundation has yet to disclose the vulnerability, though this page acknowledges the recent repair of a serious vulnerability.
For now, people need to pay close attention to this vulnerability and its potential to unleash high-impact attacks against a wide variety of applications and services. For Minecraft users, that means staying away from unknown servers or untrusted users. For open source software users, it means checking whether it relies on Log4j or Log4j2 for logging. This is a breaking story. Updates will follow if more information is available.