Important Major Exploit and Fixes

[Richard_BN]

A major security exploit has come to light that can have some severe consequences in a number of Minecraft releases/softwares going back years - a number of patches are being dropped to fix this where it is needed, which we will push to our systems as soon as we get the chance to do so.

Currently the following options on our jar list have had patches released for this security exploit:
- Spigot 1.8.8.
- Spigot 1.9.4.
- Spigot 1.10.2.
- Spigot 1.11.2.
- Spigot 1.12.2.
- Spigot 1.13.2.
- Spigot 1.14.4.
- Spigot 1.15.2 (with or without Aikar flags).
- Spigot 1.16.5 (with or without Aikar flags).
- Spigot 1.17.1 (with or without Aikar flags).
- Spigot 1.18 (with or without Aikar flags).
- PaperSpigot 1.16.5 (with or without Aikar flags).
- PaperSpigot 1.17.1 (with or without Aikar flags).
- PaperSpigot 1.18 (with or without Aikar flags).
- Waterfall.
- Velocity 3.*.
- Vanilla 1.18.1 Release Candidate.

If you use these options please update them ASAP by deleting the jar folder from the server files and restart the server to update to the patched builds.

Note that PaperSpigot are not backporting the fix for their 1.8-1.15.2 builds, by their own choice as these versions are not supported. If you are using these versions and do not require PaperSpigot we would either suggest using Spigot on the latest build with the security fix, or update to PaperSpigot 1.17.1/1.18 as soon as your server can be updated.

BungeeCord does not require the fix for the exploit. Whether other softwares/versions require patching, or if the above startup parameter is enough by itself, is uncertain at this time but we will update anything that releases a patch for the exploit ASAP, and all servers should update the moment they can!

To confirm - What you should be doing regarding this issue:
- Update your server jar if a build has been released to patch the exploit for the software you use.
- If you are on a heavily outdated server version, consider updating to a supported server version that is patched.
- Restart your server to make sure the above parameter is in effect if you are using an option it is now applied to.
- For players/clients using the default Minecraft launcher - fully close and relaunch it, a patch has been issued for 1.12.2+ clients. Note that this may not auto-apply if your launcher is modded, you will need to run the Minecraft version without mods to be sure you get the patch. For other launchers you will need to check their updates/support etc... to see if they have pushed a patch yet.
- Where applicable use the plugins here, as they protect your players from the exploit as well if their client has not been patched to fix it their end yet:
https://github.com/FrankHeijden/Log4jFix/releases/

 

[Richard_BN]

Minecraft 1.18.1 has now been released, which has patched the issue serverside (with 1.18.1 clients also being patched) so the startup flag and plugin are no longer required to protect against the issue if you update both client and server to 1.18.1.
If you are using Vanilla, Spigot or PaperSpigot 1.18 please update to 1.18.1 as soon as you can - if you are using the Default option either switch to the relevant 1.18.1 option or delete the jar folder and restart as this option now runs on Vanilla 1.18.1.

The following options have had new builds since the above post to patch this issue and should be updated ASAP (delete the jar folder and restart):
- Waterfall.
- NukkitX.
- All Fabric options.
- Both Mohist options.
- The new Latest builds for Forge 1.17.1 and 1.18. Please remember if you update to the new build that when updating it will wipe your mods/configs on first run - download them first, set the server to run a new world and then update and when it comes up as online shut it back down, reupload your mods/configs, set it back to your world and restart again.

For server versions whose server software has not pushed a patch but can use plugins, the plugins linked in the above post should be used to protect your players in case their clients are not patched to fix the exploit. Mojang have pushed client patches for all effected versions now, so a full close of your launcher and run it again should apply the patch and keep you safe from the exploir clientside (the serverside fixes still need to be done regardless, the issue is on both fronts), but other launchers or a modded MC launcher may not have the patch applied, so these plugins will help protect your players.

All options on our jar list also now use the -Dlog4j2.formatMsgNoLookups=true flag, regardless of server version, which will apply to your server after it's next restart. Some versions may not require this flag, either due to not being effected by the exploit or having been patched internally, but it's better safe than sorry as it has no negative effect in being added for any versions/setups as far as we can see.
Per the recommendations from Mojang themselves, the -Dlog4j.configurationFile=log4j2_112-116.xml and -Dlog4j.configurationFile=log4j2_17-111.xml flags have also been added as options for the relevant Vanilla versions (via the Advanced > Startup Parameters page of the control panel). When using this you will need to add the linked file to the base directory of your server files as well. We have not added this to any non-Vanilla options at this time (other than the Custom Server JAR options for Java 8/11) as it is has not been recommended as of yet to do so.

In general however, it is very strongly recommended to update to the newest Minecraft versions as soon as possible where possible so you have real patches applied to the server software and aren't relying solely on the above plugin or flags for protection.

All non-modded setups are able to update to newer versions - there are no real/valid reasons to be using <1.12.2 at this time which are 5+ years old, heavily outdated and missing fixes to things on a number of fronts and have not been supported for a very long time, and as such should not be expected to receive fixes to major issues like this (the biggest offender here, as always, being the 1.8 brigade that refuse to update because of small things like the PVP changes - you can update and change those features via plugins, it is not a valid reason to remain on extremely outdated software).

It should also be noted that singleplayer is completely safe from the issue, and whitelisted/private servers are pretty much safe from the issue too as people exploiting the issue should not be present on your server to do it - however it is still very strongly recommended to do the applicable fixes ASAP just in case. No server IP is unique and may have been in use before and whitelists are not 100% foolproof - all multiplayer servers have a risk of randoms joining, even if it's a very miniscule risk, and patching the issue via updating the server jar and/or version and adding the plugin where possible should be done ASAP in all instances.

The post from Mojang themselves regarding this issue can be found here: https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition

 

[Richard_BN]

Further options that have released patches:
- New Latest build, with the patch, for Forge 1.12.2.
- New Latest build, with the patch, for Forge 1.13.2.
- New Latest build, with the patch, for Forge 1.14.4.
- New Latest build, with the patch, for Forge 1.15.2.
- New Latest build, with the patch, for Forge 1.16.5.

Some modpacks are also pushing updates to these new/patched Forge builds which will be added as they come out - make sure to update if you see a new option for the modpack you are using appear on the list!

 

[Richard_BN]

Forge 1.7-1.11.2 options on the jarlist, whether they be a modpack or Forge itself, now have the -Dlog4j.configurationFile=log4j2_server.xml optional flag available on the Advanced > Startup Parameters page of the control panel. When using you will need the relevant .xml file present in the servers base directory, which is linked in the description on the control panel.

All modpacks on the jar list running 1.12.2+ have been updated to the latest Forge builds that have the patch (whether the modpack itself has updated or not) - deleting the jar folder and restarting on the same option will reinstall the modpack with the patched Forge build.

The .xml files for all options that require them can be downloaded here:
- Vanilla 1.7-1.11.2
- Vanilla 1.12.2-1.16.5
- Forge 1.7-1.11.2