Log4j and Log4Shell vulnerability CVE-2021-44228

[estepix]

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Hi I was wondering if you will upgrade MSCS to use log4j 2.15 since at the moment it downloads the vulnerable version 2.14.1, not sure the vulnerability affects MSCS though, since Minecraft reports that MC v1.18.1 is already fixed.

To be on the safe side, I have added this to my mscs.defaults:

mscs-default-jvm-args=-Dlog4j2.formatMsgNoLookups=true

As recommended by Minecraft for server versions 1.17.x and 1.18

Thanks very much in advance

[sandain]

Hi @estepix.

First off, MSCS does not use log4j. I'm not aware of how it gets installed, if certain addons install it, or if it comes bundled with Minecraft itself. According to Mojang, version 1.18.1 is safe to use. However, it probably is a good idea to add the workaround to the JVM args as you have done for servers running version 1.17. Servers running older software should look here for more information.

I don't plan on making any changes to the script due to this CVE unless I'm convinced otherwise. However, I think it would be best to leave this issue open so that other server admins will see it.

[izcet]

There are additional jvm flags associated with this vulnerability that may still lead to exploitation. If you want to run a minecraft server built with a vulnerable version of log4j (read: pre 1.18.1), you should use the following:

-Dlog4j2.formatMsgNoLookups=true
-Dcom.sun.jndi.rmi.object.trustURLCodebase=false
-Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false

[jwbrase]

The instructions at https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition?ref=launcher say that for versions 1.12-1.16.5, you download a provided file, log4j2_112-116.xml, to the server's working directory, then add -Dlog4j.configurationFile=log4j2_112-116.xml to command line for the server. Just to confirm, the working directory for a server running under mscs will be /opt/mscs/worlds/worldname (or ~user/mscs/worlds/worldname for a multi-user installation), correct?

[sandain]

Hi @jwbrase. I would think the best way to do this would be to save the xml file to the server folder /opt/mscs/server and use the mscs-jvm-args option:

mscs-jvm-args=-Dlog4j.configurationFile=/opt/mscs/server/log4j2_112-116.xml

[sandain]

See the documentation for using these options: https://minecraftservercontrol.github.io/docs/mscs/adjusting-world-server-properties#individual-world-properties