Leave it to Minecraft gamers to discover such as major exploit. Throwing my two cents into the void: Quickly making a comment on the Log4j Zero Day Exploit of 2021.
For those that don’t know, remote code execution (RCE) is possible by passing a Java Naming and Directory Interface (JNDI) Lookup to the logger.
Only Java applications using log4j-core and including user input in log messages are vulnerable. The dependencies slf4j log4j-api should not be vulnerable as they cannot be exploited on their own. Versions 1.x are also said to not be vulnerable. That can be added to the backlog to be patched in the near future.
If you’re running version 2.x to 2.14.1, you’ll want to update to the latest version from Apache as soon as possible: Download Apache Log4j 2. Now, some mitigation solutions exist for particular versions out there, but I’d recommend updating anyway. Better to be safe than sorry.
It also doesn’t hurt to look into logging alternatives. The Apache Foundation is wonderful and it’s great they were able to patch this so quickly, but the cause of this exploit could have been easily avoided. This also isn’t the first time a major vulnerability has been found in their software, like Apache Struts 2 Vulnerability Leads to RCE back in 2017.
We all have our work cut out for this. Good luck to all the dev teams working to resolve this issue.
Merry Christmas and Happy Holidays! I’ll catch you in 2022.
References
Log4j Vulnerability Could Give Hackers Control Over Millions of Devices - YouTube
Zero-Day Exploit Targeting Popular Java Library Log4j
Microsoft’s Response to CVE-2021-44228 Apache Log4j 2
An update on the Apache Log4j CVE-2021-44228 vulnerability - IBM PSIRT Blog