mscs icon indicating copy to clipboard operation
mscs copied to clipboard

Published 20 hours ago verified publisher icon MinecraftServerControl

Log4j and Log4Shell vulnerability CVE-2021-44228

Open estepix opened this issue 3 years ago • 5 comments

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Hi I was wondering if you will upgrade MSCS to use log4j 2.15 since at the moment it downloads the vulnerable version 2.14.1, not sure the vulnerability affects MSCS though, since Minecraft reports that MC v1.18.1 is already fixed.

To be on the safe side, I have added this to my mscs.defaults:

mscs-default-jvm-args=-Dlog4j2.formatMsgNoLookups=true

As recommended by Minecraft for server versions 1.17.x and 1.18

Thanks very much in advance

estepix avatar Dec 13 '21 13:12 estepix

Hi @estepix.

First off, MSCS does not use log4j. I'm not aware of how it gets installed, if certain addons install it, or if it comes bundled with Minecraft itself. According to Mojang, version 1.18.1 is safe to use. However, it probably is a good idea to add the workaround to the JVM args as you have done for servers running version 1.17. Servers running older software should look here for more information.

I don't plan on making any changes to the script due to this CVE unless I'm convinced otherwise. However, I think it would be best to leave this issue open so that other server admins will see it.

sandain avatar Dec 13 '21 16:12 sandain

There are additional jvm flags associated with this vulnerability that may still lead to exploitation. If you want to run a minecraft server built with a vulnerable version of log4j (read: pre 1.18.1), you should use the following:

-Dlog4j2.formatMsgNoLookups=true
-Dcom.sun.jndi.rmi.object.trustURLCodebase=false
-Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false

izcet avatar Dec 13 '21 16:12 izcet

The instructions at https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition?ref=launcher say that for versions 1.12-1.16.5, you download a provided file, log4j2_112-116.xml, to the server's working directory, then add -Dlog4j.configurationFile=log4j2_112-116.xml to command line for the server. Just to confirm, the working directory for a server running under mscs will be /opt/mscs/worlds/worldname (or ~user/mscs/worlds/worldname for a multi-user installation), correct?

jwbrase avatar Dec 15 '21 06:12 jwbrase

Hi @jwbrase. I would think the best way to do this would be to save the xml file to the server folder /opt/mscs/server and use the mscs-jvm-args option:

mscs-jvm-args=-Dlog4j.configurationFile=/opt/mscs/server/log4j2_112-116.xml

sandain avatar Dec 15 '21 16:12 sandain

See the documentation for using these options: https://minecraftservercontrol.github.io/docs/mscs/adjusting-world-server-properties#individual-world-properties

sandain avatar Dec 15 '21 16:12 sandain