How can I check if my Minecraft client is vulnerable to Log4j?

minecraft-java-edition

I know that the Log4Shell exploit in Log4j allows attackers to run arbitrary commands on people's computers, and that Minecraft is vulnerable. Is there a Minecraft server that I can join which will tell me if my client is patched or if I'm vulnerable? If not, is there another way that I can check if the vulnerability exists on my system?


First of all: Do NOT trust any wild server that tells you that you're safe from being exploited by log4j vulnerability. You could get exploited without even knowing.

As for the log4j vulnerability, basically all Minecraft clients are not protected against this vulnerability (If you didn't restart your Minecraft launcher and client, of course.) This includes Forge of course, so re-installing your Forge is critical.

If you've restarted your Minecraft launcher and Minecraft client at later 2021, December 10, you'll be fine (reference, I recommend reading whole thread.) However, if you're on third-party launcher/client, this doesn't apply: it's up to creator of that launcher/client.

And, if you're hosting Minecraft server, follow the instruction from Minecraft official's notice. The fix will vary depending on what version your server is, so I'll just link it.


A second option, if you're a little more paranoid and/or interested in the technical details, is to try using ${java:version} as a harmless indicator of vulnerability to CVE-2021-44228. This should work for both servers and clients, I'll focus on clients here but some brief notes on servers are included just for fun.

First, you'll need a way to view the logs. This can either be the debug log for the client, which you can enable in the launcher, the console if you're running a server, or by opening and reading the most recent entry in your logs folder for either (for the client, this can be found at %AppData%/Roaming/.minecraft on windows, ~/Library/Application Support/minecraft on Mac, or ~/.minecraft on linux).

Now, you can open a single-player world, and type ${java:version} in chat. In your log, you should see one of two things: the unmodified message ${java:version}, or something like Java Version [some numbers]. If it's the first, and what you typed in is unchanged, you should be safe. If it gets changed to indicate the Java version, you are vulnerable.

It should go without saying, but do not try anything you don't understand (things like ${jndi:...}), and if you're running a server or a world open to LAN, be extra careful to block the port it's running on (so other people can't also exploit the vulnerability).

Related

Does the other person know that you have blocked them in xbox live?
Infinite food, water and power
My stuff disappears when I log off multiplayer mode in Minecraft
On a Nintendo Switch, why don't parental controls kill the game when the time limit is up?
Why did GLaDOS have an Anger Core?
Underground Dirt and Gravel
I just installed Gangstar New Orleans from Microsoft Store but it's loading forever!
Is there a technical requirement to serve 404 responses?
SSL certificate is not valid when the server is connecting itself
How do I find the openssl libraries on Linux (Debian buster)
What happens when there's no custom chain to jump in a table in iptables?
Nginx reverse proxy for two webapplications