PSA: there is a fatal remote code execution exploit in minecraft, and it's by typing in chat

Status
Not open for further replies because of inactivity.
hm this is quite a concern it seems... im not sure that there's a way to add " -Dlog4j2.formatMsgNoLookups=true" if you use lunar client, so as a duels main, playing with the chat off is perhaps the optimal plan for this - again, im not even sure about how high the magnitude of this situation truly is, but good-practice measures won't hurt.
 
blcgamesweat said:
anyways, is it safe if i launch 1.8.9 forge using the jvm arguments thing?
Click to expand...
yes
Dawgsrlife said:
hm this is quite a concern it seems... im not sure that there's a way to add " -Dlog4j2.formatMsgNoLookups=true" if you use lunar client, so as a duels main, playing with the chat off is perhaps the optimal plan for this - again, im not even sure about how high the magnitude of this situation truly is, but good-practice measures won't hurt.
Click to expand...
you can always use something like forge
 
ascpixel said:
don't worry, there is no current CVE that would suggest that this exploit allows remote code execution - it's possible that it can be done on older Java 8 versions, but on newer ones, it'll just be annoying spam!

this exploit relates to log4j property lookups, and from testing it seems it only affects 1.12+, and clients are largely unaffected (though there is still the possibility for a server to send a specially crafted message to a client that's running an older java version in order to remotely execute code)
adding this flag doesn't hurt and will fix annoying spam some hackers can cause, but don't be afraid of them hacking your computer :3

stay safe, guys!!
Click to expand...
CVE-2017-5645? I'm not sure if this is the same bug it's referring to.
 
oSnek said:
so this only affects hypixel, correct? or does it affect all of minecraft (other servers besides hypixel, realms, etc)? is it guaranteed that i will get a malware if i send messages in chat? when will i actually be safe???
Click to expand...
all servers, not sure about realms though as they are hosted by mojang and this big of an exploit probably wouldnt have slipped past them, but i would recommend only joining servers you trust (like private servers and stuff).
 
oSnek said:
so this only affects hypixel, correct? or does it affect all of minecraft (other servers besides hypixel, realms, etc)? is it guaranteed that i will get a malware if i send messages in chat? when will i actually be safe???
Click to expand...
hypixel I believe has a fix for this issue which is adding the java argument to their server. its every server that hasn't patched it themselves, don't have a plugin to patch it, or arent on a patched version of Minecraft. Realms I don't know if they are affected. It is not guaranteed that an attacker will execute the code through chat but if they do you will be affected unless you have modified your arguments to fix it.
 
SavageMudkip said:
all servers, not sure about realms though as they are hosted by mojang and this big of an exploit probably wouldnt have slipped past them, but i would recommend only joining servers you trust (like private servers and stuff).
Click to expand...
If Mojang knew about this exploit they would have taken steps to save the world from it. They wouldn't have shipped vulnerable Minecraft versions.

This works on Realms, servers, LAN worlds, single-player—all that has to happen is your client has to log a certain string, like a certain chat message, and that has the potential to remotely execute code on your machine. So if other players can send you chat messages, you're vulnerable. Servers can block the chat messages, and maybe Realms has already done that.

The flag -Dlog4j2.formatMsgNoLookups=true works for 1.17 and 1.18. For 1.12-1.16, that option doesn't exist and won't help. 1.11 and older are not vulnerable.
Click to expand...

Side note—reading through these threads, the people on this forum are actually idiots. Everyone's like 11 years old.
 
Ticha said:
yeah this isn't a joke
basically talking in chat from 1.8 to 1.18 in a server will expose you to an exploit which could run any code in your machine, ie ransomware, token loggers, etc.
i'm pretty sure hypixel already patched this but there are 2 ways to fix this for yourself:
if you run a server:
1.8-1.18: update spigot to the latest version
1.8-1.18: add the following java argument:
Java: 
-Dlog4j2.formatMsgNoLookups=true
1.14-1.18: update the server fabric version to 0.19.9
if you want to play normally:
1.8-1.18: add the following java argument to your launcher:
Java: 
-Dlog4j2.formatMsgNoLookups=true
1.14-1.18: update the fabric mod loader to 0.19.9

please spread these news around and stay safe
Click to expand...
Also use lunar client because they have patched it too on client side.
#LunarForLife
 
Dawgsrlife said:
hm this is quite a concern it seems... im not sure that there's a way to add " -Dlog4j2.formatMsgNoLookups=true" if you use lunar client, so as a duels main, playing with the chat off is perhaps the optimal plan for this - again, im not even sure about how high the magnitude of this situation truly is, but good-practice measures won't hurt.
Click to expand...
I have heard that on lunar its patched
 
You must log in or register to reply here.
Status
Not open for further replies because of inactivity.
Back
Top