A far-reaching zero-day security vulnerability has been discovered that could allow for remote code execution by nefarious actors on a server, and which could impact heaps of online applications, including Minecraft: Java Edition, Steam, Twitter, and many more if left unchecked.
The exploit ID'd as CVE-2021-44228, which is marked as 9.8 on the severity scale by Red Hat but is fresh enough that it's still awaiting analysis by NVD. It sits within the widely-used Apache Log4j Java-based logging library, and the danger lies in how it enables a user to run code on a server—potentially taking over complete control without proper access or authority, through the use of log messages.
Minecraft update: What's new?
Minecraft skins: New looks
Minecraft mods: Beyond vanilla
Minecraft shaders: Spotlight
Minecraft seeds: Fresh new worlds
Minecraft texture packs: Pixelated
Minecraft servers: Online worlds
Minecraft commands: All cheats
"An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled," the CVE ID description states.
The issue could affect Minecraft: Java Edition, Tencent, Apple, Twitter, Amazon, and many more online service providers. That's because while Java isn't so common for users anymore, it is still widely used in enterprise applications. Fortunately, Valve said that Steam is not impacted by the issue.
"We immediately reviewed our services that use log4j and verified that our network security rules blocked downloading and executing untrusted code," a Valve representative told PC Gamer. "We do not believe there are any risks to Steam associated with this vulnerability."
As for a fix, there are thankfully a few options. The issue reportedly affects log4j versions between 2.0 and 2.14.1. Upgrading to Apache Log4j version 2.15 is the best course of action to mitigate the issue, as outlined on the Apache Log4j security vulnerability page. Although, users of older versions may also be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath.
If you're running a server using Apache, such as your own Minecraft Java server, you will want to upgrade immediately to the newer version or patch your older version as above to ensure your server is protected. Similarly, Mojang has released a patch to secure user's game clients, and further details can be found here.
Player safety is the top priority for us. Unfortunately, earlier today we identified a security vulnerability in Minecraft: Java Edition.The issue is patched, but please follow these steps to secure your game client and/or servers. Please RT to amplify.https://t.co/4Ji8nsvpHfDecember 10, 2021
The long-term fear is that, while those in the know will now mitigate the potentially dangerous flaw, there will be many more left in the dark who will not and may leave the flaw unpatched for a long period of time.
Many already fear the vulnerability is being exploited already, including CERT NZ. As such, many enterprise and cloud users will likely be rushing to patch out the impact as quickly as possible.
"Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately," Security firm Randori says in a blog post on the vulnerability.
