How can I check if my Minecraft client is vulnerable to Log4j?
I know that the Log4Shell exploit in Log4j allows attackers to run arbitrary commands on people's computers, and that Minecraft is vulnerable. Is there a Minecraft server that I can join which will tell me if my client is patched or if I'm vulnerable? If not, is there another way that I can check if the vulnerability exists on my system?
First of all: Do NOT trust any wild server that tells you that you're safe from being exploited by log4j vulnerability. You could get exploited without even knowing.
As for the log4j vulnerability, basically all Minecraft clients are not protected against this vulnerability (If you didn't restart your Minecraft launcher and client, of course.) This includes Forge of course, so re-installing your Forge is critical.
If you've restarted your Minecraft launcher and Minecraft client at later 2021, December 10, you'll be fine (reference, I recommend reading whole thread.) However, if you're on third-party launcher/client, this doesn't apply: it's up to creator of that launcher/client.
And, if you're hosting Minecraft server, follow the instruction from Minecraft official's notice. The fix will vary depending on what version your server is, so I'll just link it.
A second option, if you're a little more paranoid and/or interested in the technical details, is to try using ${java:version}
as a harmless indicator of vulnerability to CVE-2021-44228. This should work for both servers and clients, I'll focus on clients here but some brief notes on servers are included just for fun.
First, you'll need a way to view the logs. This can either be the debug log for the client, which you can enable in the launcher, the console if you're running a server, or by opening and reading the most recent entry in your logs
folder for either (for the client, this can be found at %AppData%/Roaming/.minecraft
on windows, ~/Library/Application Support/minecraft
on Mac, or ~/.minecraft
on linux).
Now, you can open a single-player world, and type ${java:version}
in chat. In your log, you should see one of two things: the unmodified message ${java:version}
, or something like Java Version [some numbers]
. If it's the first, and what you typed in is unchanged, you should be safe. If it gets changed to indicate the Java version, you are vulnerable.
It should go without saying, but do not try anything you don't understand (things like ${jndi:...}
), and if you're running a server or a world open to LAN, be extra careful to block the port it's running on (so other people can't also exploit the vulnerability).