See tracker for details on the log4j vulnerability. If you’re hosting your own Minecraft: Java Edition server, you'll need to take different steps depending on which version you’re using, in order to secure it. 1.18: Upgrade to 1.18.1, if possible. If not, use the same approach as for 1.17.x: 1.17: Add the following JVM arguments to your startup command line: -Dlog4j2.formatMsgNoLookups=true 1.12-1.16.5: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line: -Dlog4j.configurationFile=log4j2_112-116.xml 1.7-1.11.2: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line: -Dlog4j.configurationFile=log4j2_17-111.xml Versions below 1.7 are not affected
Update 1.18.1 has been already commited: https://gitweb.gentoo.org/repo/gentoo.git/commit/games-server/minecraft-server?id=6b87a95efc7a613a60d35bfd87b467c04b038837 Vulnerable 1.18.0 has been also dropped: https://gitweb.gentoo.org/repo/gentoo.git/commit/games-server/minecraft-server?id=310828efa141fdfeecff9878aefb98ea778b8d23 As for stable 1.16.5, there is a workaround, which I will commited. This is still TODO.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b294e9e755c89eb36758724b6e74b70de2c86c5 commit 5b294e9e755c89eb36758724b6e74b70de2c86c5 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-12-11 17:08:53 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-12-11 17:08:57 +0000 games-server/minecraft-server: drop 1.16.5 Bug: https://bugs.gentoo.org/828936 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> .../minecraft-server-1.16.5.ebuild | 54 ---------------------- 1 file changed, 54 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9efd7aaf26aae0f3983d42906b9daa9de366ca9a commit 9efd7aaf26aae0f3983d42906b9daa9de366ca9a Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-12-11 17:08:01 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-12-11 17:08:01 +0000 games-server/minecraft-server: add workaround for log4j rce Bug: https://bugs.gentoo.org/828936 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> .../minecraft-server/files/log4j2_112-116.xml | 28 +++++++++ .../files/minecraft-server.initd-r6 | 67 ++++++++++++++++++++++ .../files/minecraft-server.service-r1 | 17 ++++++ .../minecraft-server-1.16.5-r1.ebuild | 55 ++++++++++++++++++ 4 files changed, 167 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4ba8f7f6d104d3a092168a3fee70e8bd011b3d7a commit 4ba8f7f6d104d3a092168a3fee70e8bd011b3d7a Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-20 07:18:06 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-20 07:21:10 +0000 [ GLSA 202312-02 ] Minecraft Server: Remote Code Execution Bug: https://bugs.gentoo.org/828936 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-02.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)