⚠️Apache log4j2 2.0-2.14.1/Minecraft ? to 1.18
⚠️This vulnerability has not been fixed in Minecraft China Edition⚠️
Hackers can enter keywords through the chat bar to trigger hackers can use this vulnerability to perform remote code execution on the server
https://github.com/apache/logging-log4j2/commit/d82b47c6fae9c15fcb183170394d5f1a01ac02d3
⚠️How to resolve this vulnerability
Manually replace log4j2 with 2.15.0-rc1
log4j-core: https://repository.apache.org/content/groups/snapshots/org/apache/logging/log4j/log4j-core/2.15.1-SNAPSHOT/log4j-core-2.15.1-20211209.094358-2.jar
log4j-api: https://repository.apache.org/content/groups/snapshots/org/apache/logging/log4j/log4j-api/2.15.1-SNAPSHOT/log4j-api-2.15.1-20211209.094358-2.jar
log4j-slf4j18-impl: https://repository.apache.org/content/groups/snapshots/org/apache/logging/log4j/log4j-slf4j18-impl/2.15.1-SNAPSHOT/log4j-slf4j18-impl-2.15.1-20211209.094358-2.jar
⚠️Disable LDAP port (TCP/UDP 386/636)
⚠️Add -Dlog4j2.formatMsgNoLookups=true Java command line parameter (thanks @jiongjionger)
⚠️FIX BUG⚠️ NOW⚠️
From MCBBS CN @贺兰兰
Article source page
https://www.mcbbs.net/forum.php?mod=viewthread&tid=1283097
影响范围
所有包含 Apache log4j2 2.0-2.14.1 版本依赖库的服务端(? 至 Minecraft 1.18)
https://github.com/apache/logging-log4j2/commit/d82b47c6fae9c15fcb183170394d5f1a01ac02d3
可能的攻击方式
黑客通过在聊天栏输入关键字触发
可以导致的后果
远程代码执行
临时修复方案
手动替换 log4j2 为 2.15.0-rc1
log4j-core: https://repository.apache.org/content/groups/snapshots/org/apache/logging/log4j/log4j-core/2.15.1-SNAPSHOT/log4j-core-2.15.1-20211209.094358-2.jar
log4j-api: https://repository.apache.org/content/groups/snapshots/org/apache/logging/log4j/log4j-api/2.15.1-SNAPSHOT/log4j-api-2.15.1-20211209.094358-2.jar
log4j-slf4j18-impl: https://repository.apache.org/content/groups/snapshots/org/apache/logging/log4j/log4j-slf4j18-impl/2.15.1-SNAPSHOT/log4j-slf4j18-impl-2.15.1-20211209.094358-2.jar
禁用 LDAP 端口(TCP/UDP 386/636)
添加 -Dlog4j2.formatMsgNoLookups=true Java 命令行参数(感谢 @jiongjionger)
手把手教你修漏洞™
对于 1.18+ 的所有服务端(Vanilla,Spigot,Paper等)
有校验,不好改,等修复(有兴趣的话可以前往服务端核心中的 META-INF/libraries.list 文件,修改 log4j 相关的三个 jar 路径及其 SHA256 签名,然后将新的 jar 导入 librararies 文件的指定目录)
对于 1.18- 的 除 Paper(及其下游)服务端
使用压缩软件打开服务端核心和log4j-core,删除前者 org\apache\logging\log4j\core 文件夹,将后者同样路径中的 core 文件夹替换进去;然后删除org\apache\logging\log4j下的其他文件,将 log4j-api 中同名目录的所有文件替换进去即可
对于 1.18- 的 Paper 服务端
有校验,不好改,等修复(同样,有兴趣的话可以前往 paperclip 中的 patch.properties 文件,替换 originalHash 和 patchedHash 的哈希值为修改过后的 mojang_X.X.X.jar 和 patched_X.X.X.jar 的哈希值)
服务端核心修复跟踪
CatServer 声明其最新构建(21.12.10)已修复此漏洞(https://github.com/Luohuayu/CatServer/commit/9c1e882fb56ffd56fbb85429c09733dcd512ebec)
Paper 声明其 1.17.1(#398) 和 1.18(#64) 分支最新构建已修复此漏洞(1.17.1:https://github.com/PaperMC/Paper/commit/244b392f390afa7a4880e2207c7358fe195bd431 , 1.18:https://github.com/PaperMC/Paper/commit/b475c6a683fa34156b964f751985f36a784ca0e0)
来自MCBBS: @贺兰兰
原标题https://www.mcbbs.net/forum.php?mod=viewthread&tid=1283097
A repair mod for the java version has been issued on the MCBBS forum
2021-12-12
This vulnerability is very dangerous. Hackers can use this vulnerability to destroy your server or use your computer and server to mine viruses.
2021-12-10