Log4Shell

[pixelcmtd]

While I am not sure that players in chat could exploit CVE-2021-44228 (Log4Shell), and when you're just playing on large servers, you can sue them if they try to hack you, but still we should fix it.

Mojang already did half the work by pointing us in the right direction in their blog post about the vulnerability. There will probably be a fix in the next version, as well as some information on how to fix it yourself for older versions.

This also relates to #16, because using a package manager would make this a bit easier.

[pixelcmtd]

In 00419bb, I noticed that there might actually be yet another way of fixing this: res.jar contains a file called log4j2.xml. If we patch that file to also include a RegEx that blocks JNDI, we might be able to also patch it this way.

[omerien]

Is it currently fixed ? I would love to use this client, as it is open-source, but I'm unsure if I should do it rn with Log4Shell.

[pixelcmtd]

@omerien

Is it currently fixed ?

Tl;Dr: Maybe.

Looking at the code (or rather the included log4j version and configuration), it should not be. But I wasn't able to exploit it, running directly from Eclipse, just writing something like ${jndi:ldap://localhost:4269/xyz} in the chat.

Also, if you're using the official Minecraft launcher from Mojang, it should patch it automatically, if I'm understanding their blog post correctly (just checked and it isn't to explicit about that).

I'm unsure if I should do it rn with Log4Shell.

It really depends on what you want to do. Do you want to join the servers of Black Hat Hackers? Then you should consider waiting. But if you don't join any untrusted servers, there should be no attack surface introduced by this client at all.

[omerien]

Well I’m installing this hacked client for a server called constantiam.net, an anarchy server, so I prefer having a safe client without an issue like Log4Shell. Sent via email. There might be display errors.

…

Le 20 juil. 2022 à 19:11, pixel ***@***.***> a écrit :  @omerien Is it currently fixed ? Tl;Dr: Maybe. Looking at the code (or rather the included log4j version and configuration), it should not be. But I wasn't able to exploit it, running directly from Eclipse, just writing something like ${jndi:ldap://localhost:4269/xyz} in the chat. Also, if you're using the official Minecraft launcher from Mojang, it should patch it automatically, if I'm understanding their blog post correctly (just checked and it isn't to explicit about that). I'm unsure if I should do it rn with Log4Shell. It really depends on what you want to do. Do you want to join the servers of Black Hat Hackers? Then you should consider waiting. But if you don't join any untrusted servers, there should be no attack surface introduced by this client at all. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.