Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 828936 - <games-server/minecraft-server-1.18.1 remote code execution via bundled log4j
Summary: <games-server/minecraft-server-1.18.1 remote code execution via bundled log4j
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.minecraft.net/de-de/artic...
Whiteboard: B1 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2021-4104
  Show dependency tree
 
Reported: 2021-12-11 15:45 UTC by Conrad Kostecki
Modified: 2023-12-20 07:21 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Conrad Kostecki gentoo-dev 2021-12-11 15:45:42 UTC
See tracker for details on the log4j vulnerability.

If you’re hosting your own Minecraft: Java Edition server, you'll need to take different steps depending on which version you’re using, in order to secure it.

    1.18: Upgrade to 1.18.1, if possible. If not, use the same approach as for 1.17.x:

    1.17: Add the following JVM arguments to your startup command line: 
    -Dlog4j2.formatMsgNoLookups=true

    1.12-1.16.5: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line: 
    -Dlog4j.configurationFile=log4j2_112-116.xml

    1.7-1.11.2: Download this file to the working directory where your server runs. Then add the following JVM arguments to your  startup command line: 
    -Dlog4j.configurationFile=log4j2_17-111.xml

    Versions below 1.7 are not affected
Comment 1 Conrad Kostecki gentoo-dev 2021-12-11 15:48:03 UTC
Update 1.18.1 has been already commited: https://gitweb.gentoo.org/repo/gentoo.git/commit/games-server/minecraft-server?id=6b87a95efc7a613a60d35bfd87b467c04b038837

Vulnerable 1.18.0 has been also dropped: https://gitweb.gentoo.org/repo/gentoo.git/commit/games-server/minecraft-server?id=310828efa141fdfeecff9878aefb98ea778b8d23

As for stable 1.16.5, there is a workaround, which I will commited. This is still TODO.
Comment 2 Larry the Git Cow gentoo-dev 2021-12-11 17:12:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b294e9e755c89eb36758724b6e74b70de2c86c5

commit 5b294e9e755c89eb36758724b6e74b70de2c86c5
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-12-11 17:08:53 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-12-11 17:08:57 +0000

    games-server/minecraft-server: drop 1.16.5
    
    Bug: https://bugs.gentoo.org/828936
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 .../minecraft-server-1.16.5.ebuild                 | 54 ----------------------
 1 file changed, 54 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9efd7aaf26aae0f3983d42906b9daa9de366ca9a

commit 9efd7aaf26aae0f3983d42906b9daa9de366ca9a
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-12-11 17:08:01 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-12-11 17:08:01 +0000

    games-server/minecraft-server: add workaround for log4j rce
    
    Bug: https://bugs.gentoo.org/828936
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 .../minecraft-server/files/log4j2_112-116.xml      | 28 +++++++++
 .../files/minecraft-server.initd-r6                | 67 ++++++++++++++++++++++
 .../files/minecraft-server.service-r1              | 17 ++++++
 .../minecraft-server-1.16.5-r1.ebuild              | 55 ++++++++++++++++++
 4 files changed, 167 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2023-12-20 07:21:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4ba8f7f6d104d3a092168a3fee70e8bd011b3d7a

commit 4ba8f7f6d104d3a092168a3fee70e8bd011b3d7a
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-20 07:18:06 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-20 07:21:10 +0000

    [ GLSA 202312-02 ] Minecraft Server: Remote Code Execution
    
    Bug: https://bugs.gentoo.org/828936
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-02.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)