There is a Minecraft server and client exploit that affect Minecraft versions 1.8 - 1.18 and it can be used to compromise a system and run arbitrary code
Vulnerability description Apache Log4j2 is a Java-based logging tool. This tool rewrites the Log4j framework and introduces a lot of rich features. The log framework is widely used in business system development to record log information.
In most cases, developers may write error messages caused by user input into the log. Attackers can use this feature to construct special data request packets through this vulnerability, and ultimately trigger remote code execution.
On November 24, 2021, the Alibaba Cloud security team officially reported the Apache Log4j2 remote code execution vulnerability to Apache. Because some functions of Apache Log4j2 have recursive analysis functions, attackers can directly construct malicious requests to trigger remote code execution vulnerabilities.
Vulnerability exploitation does not require special configuration. After verification by the Alibaba Cloud security team, Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc. are all affected.
Alibaba Cloud Emergency Response Center reminds Apache Log4j2 users to take security measures as soon as possible to prevent vulnerability attacks.
Level of the vulnerability: Serious (Critical)
The following users say it would be alright if the author of this
post didn't die in a fire!
also if venders have not pushed out the patch yet for their applications, you can easily take out the snippet of code that is vulnerable to this attack as well. i believe log4j 2.15.rc2 is the new patched vesion, and it affects versions 2.0-2.14
such fucking bullshit I haven't touched the game in a week because the retards can't even code their java right. I am not a happy customer to say the least
Originally posted by the man who put it in my hood
such fucking bullshit I haven't touched the game in a week because the retards can't even code their java right. I am not a happy customer to say the least
its actually not the devs of java, but volunteers that created the package log4j, and that is open source. They maintain the project in their spare time, and came out with a patch within 24 hours of the exploit, Minecraft also came out with a patch i believe within 24 hours of the exploit as well (2 days ago) so if your minecraft server is not patched then thats due to the people who run your minecraft server being lazy.
Also id like to mention minecraft is less than 1% of the affected devices, as the exploit is able to perform payloads on companies and applications such as: Apple, Google, Apache, Tesla, Ghidra, Solr, Amazon, Cloudflare, PaloAlto, LinkedIn, VMWare, Redis, Steam, just to name a few. They say this could be the worst vulnerability to ever exist, even worse than Shellshock.
Obbe
Alan What?
[annoy my right-angled speediness]
Originally posted by the man who put it in my hood
such fucking bullshit I haven't touched the game in a week because the retards can't even code their java right. I am not a happy customer to say the least
I just put optifine on it the other day and it is running good now.
Originally posted by maddie
CVE-2021-44228 its the log4shell vuln thats been going around. there is already a patch for minecraft, and most other applications running log4j
Thanks, although i've written tooling that can find all servers on the internet that run Apache or anything else for that matter, and i have a working PoC. Expect Ransomware actors to try and make use of this vuln ASAP. Not me personally but it wouldn't surprise me, given it literally took me less than an hour to read up on all the pertinent facts get a hold of some 'scanners' that were floating about and through that knowledge develop a specific payload to get RCE.
When the entire world is distracted by the interplanetary vulnerability dubbed log4shell, who here is paying more attention to CVE-2021-42278 and CVE-2021-42287?
