Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log4j and Log4Shell vulnerability CVE-2021-44228 #301

Open
estepix opened this issue Dec 13, 2021 · 5 comments
Open

Log4j and Log4Shell vulnerability CVE-2021-44228 #301

estepix opened this issue Dec 13, 2021 · 5 comments
Labels
information

Comments

@estepix
Copy link

estepix commented Dec 13, 2021

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Hi I was wondering if you will upgrade MSCS to use log4j 2.15 since at the moment it downloads the vulnerable version 2.14.1, not sure the vulnerability affects MSCS though, since Minecraft reports that MC v1.18.1 is already fixed.

To be on the safe side, I have added this to my mscs.defaults:

mscs-default-jvm-args=-Dlog4j2.formatMsgNoLookups=true

As recommended by Minecraft for server versions 1.17.x and 1.18

Thanks very much in advance
@sandain
Copy link
Member

sandain commented Dec 13, 2021

Hi @estepix.

First off, MSCS does not use log4j. I'm not aware of how it gets installed, if certain addons install it, or if it comes bundled with Minecraft itself. According to Mojang, version 1.18.1 is safe to use. However, it probably is a good idea to add the workaround to the JVM args as you have done for servers running version 1.17. Servers running older software should look here for more information.

I don't plan on making any changes to the script due to this CVE unless I'm convinced otherwise. However, I think it would be best to leave this issue open so that other server admins will see it.

@izcet
Copy link

izcet commented Dec 13, 2021

There are additional jvm flags associated with this vulnerability that may still lead to exploitation. If you want to run a minecraft server built with a vulnerable version of log4j (read: pre 1.18.1), you should use the following:

-Dlog4j2.formatMsgNoLookups=true
-Dcom.sun.jndi.rmi.object.trustURLCodebase=false
-Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false

@jwbrase
Copy link

jwbrase commented Dec 15, 2021

The instructions at https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition?ref=launcher say that for versions 1.12-1.16.5, you download a provided file, log4j2_112-116.xml, to the server's working directory, then add -Dlog4j.configurationFile=log4j2_112-116.xml to command line for the server. Just to confirm, the working directory for a server running under mscs will be /opt/mscs/worlds/worldname (or ~user/mscs/worlds/worldname for a multi-user installation), correct?

@sandain
Copy link
Member

sandain commented Dec 15, 2021

Hi @jwbrase. I would think the best way to do this would be to save the xml file to the server folder /opt/mscs/server and use the mscs-jvm-args option:

mscs-jvm-args=-Dlog4j.configurationFile=/opt/mscs/server/log4j2_112-116.xml

@sandain
Copy link
Member

sandain commented Dec 15, 2021

See the documentation for using these options: https://minecraftservercontrol.github.io/docs/mscs/adjusting-world-server-properties#individual-world-properties

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
information
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sandain @estepix @izcet @jwbrase