Minecraft rushes out patch for important Log4j vulnerability
Swedish online game developer Mojang Studios has launched an emergency Minecraft safety replace to handle a important bug within the Apache Log4j Java logging library utilized by the sport’s Java Version shopper and multiplayer servers.
The vulnerability is fastened with the discharge of Minecraft: Java Version 1.18.1, which is now rolling out to all prospects.
“This launch fixes a important safety difficulty for multiplayer servers, adjustments how the world fog works to make extra of the world seen, and fixes a few different bugs,” the corporate mentioned at the moment.
“In case you are operating a multiplayer server, we extremely encourage you to improve to this model as quickly as attainable.”
To improve to the patched model, these utilizing Mojang’s official recreation shopper are suggested to shut all operating recreation and Minecraft Launcher situations and restart the Launcher to put in the patch mechanically.
Avid gamers who use modified Minecraft shoppers and third-party launchers ought to attain out to their third-party suppliers for a safety replace.
These internet hosting their very own Minecraft: Java Version servers should undergo totally different steps relying on the model they’re utilizing, as outlined right here.
Participant security is the highest precedence for us. Sadly, earlier at the moment we recognized a safety vulnerability in Minecraft: Java Version.
The difficulty is patched, however please observe these steps to safe your recreation shopper and/or servers. Please RT to amplify.https://t.co/4Ji8nsvpHf
— Minecraft (@Minecraft) December 10, 2021
Actively exploited unauthenticated RCE vulnerability
The bug, now tracked as CVE-2021-44228 and dubbed Log4Shell or LogJam, is a distant code execution (RCE) flaw discovered within the ubiquitous Apache Log4j Java-based logging library and reported by Alibaba Cloud’s safety group.
It impacts default configurations of a number of Apache frameworks, together with Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, utilized by numerous enterprise software program merchandise from Apple, Amazon, Cloudflare, Twitter, Steam, and others.
Attackers are already mass scanning the Web [1, 2] for susceptible methods, and, in line with a CERT NZ safety advisory, they’re additionally actively exploiting it within the wild.
This was additionally confirmed by Coalition Director Of Engineering – Safety Tiago Henriques and safety professional Kevin Beaumont.
Apache has already launched Log4j 2.15.0 to handle this most severity vulnerability. CVE-2021-44228 will also be mitigated in earlier releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or eradicating the JndiLookup class from the classpath.
Safety firm Lunasec underscored the severity of CVE-2021-44228 assaults earlier at the moment, saying that “many, many companies are susceptible to this exploit. Cloud companies like Steam, Apple iCloud, and apps like Minecraft have already been discovered to be susceptible.”
“Anyone utilizing Apache Struts is probably going susceptible. We have seen related vulnerabilities exploited earlier than in breaches just like the 2017 Equifax knowledge breach,” they added.