PSA: there is a fatal remote code execution exploit in minecraft, and it's by typing in chat

[Ticha]

yeah this isn't a joke
basically talking in chat from 1.8 to 1.18 in a server will expose you to an exploit which could run any code in your machine, ie ransomware, token loggers, etc.
hypixel already patched this but there are some ways to fix this for yourself (this only work 1.17-1.18 except the spigot patch)
if you run a server:
1.8-1.18: update spigot to the latest version
- add the following java argument:

-Dlog4j2.formatMsgNoLookups=true

- update the server fabric version to 0.19.9
if you want to play normally:
- add the following java argument to your launcher:

-Dlog4j2.formatMsgNoLookups=true

- update the fabric mod loader to 0.19.9
HOWEVER
this bug can be somewhat mitigated by updating to a newer version of java, the one that the official launcher used to ship (now it ships a better one) was very outdated and had this problem, please download a newer version of java from either the following links if you use multimc or another launcher:
adoptium (openjdk) (windows and x64 only, for other architectures or operating systems please click here)
oracle (java 8 311)
some more info: lunar and labymod already patched this clientside, idk about badlion but it's bad so who cares

please spread these news around and stay safe

 

[Pugasaur]

yeah this isn't a joke
basically talking in chat from 1.8 to 1.18 in a server will expose you to an exploit which could run any code in your machine, ie ransomware, token loggers, etc.
i'm pretty sure hypixel already patched this but there are 2 ways to fix this for yourself:
if you run a server:
1.8-1.18: update spigot to the latest version
1.8-1.18: add the following java argument:

-Dlog4j2.formatMsgNoLookups=true

1.14-1.18: update the server fabric version to 0.19.9
if you want to play normally:
1.8-1.18: add the following java argument to your launcher:

-Dlog4j2.formatMsgNoLookups=true

1.14-1.18: update the fabric mod loader to 0.19.9

please spread these news around and stay safe

Can confirm is true. I'm seeing it all over discord

 

[Babblingduck]

-Dlog4j2.formatMsgNoLookups=true
we put this command into our server or our client

 

[PropanePower]

So they found a way to censor the uncensored library. Just rat everyone.

 

[Pylons]

yeah this isn't a joke
basically talking in chat from 1.8 to 1.18 in a server will expose you to an exploit which could run any code in your machine, ie ransomware, token loggers, etc.
i'm pretty sure hypixel already patched this but there are 2 ways to fix this for yourself:
if you run a server:
1.8-1.18: update spigot to the latest version
1.8-1.18: add the following java argument:

-Dlog4j2.formatMsgNoLookups=true

1.14-1.18: update the server fabric version to 0.19.9
if you want to play normally:
1.8-1.18: add the following java argument to your launcher:

-Dlog4j2.formatMsgNoLookups=true

1.14-1.18: update the fabric mod loader to 0.19.9

please spread these news around and stay safe

Do you have any other sources for this?

 

[AdiTheHero]

how do i add the java flag?

 

[KB130]

Do you have any other sources for this?

3 million discord pings

 

[Pylons]

how do i add the java flag?

if you click installations then click the three dots next to your minecraft java installation you should pop up with this screen. Just add the JVM argument to that text box and you should be all set.

 

[Ticha]

-Dlog4j2.formatMsgNoLookups=true
we put this command into our server or our client

both

 

[CoderGautamYT]

yeah but who would even want to add that flag if they know it causes exploits

 

[Ticha]

Do you have any other sources for this?

Worst Apache Log4j RCE Zero day Dropped on Internet

Apache Log4j2 remote code execution vulnerability

www.cyberkendra.com

 

[Ticha]

yeah but who would even want to add that flag if they know it causes exploits

the flat FIXES the exploit, it doesn't cause it

 

[HandLefted]

Is there a way to tell if you've already been affected by this exploit?

 

[RTTV]

Is there a way to tell if you've already been affected by this exploit?

pretty sure you can search your logs for jndi:ldap and if its there then you've been affected

 

[oSnek]

so this only affects hypixel, correct? or does it affect all of minecraft (other servers besides hypixel, realms, etc)? is it guaranteed that i will get a malware if i send messages in chat? when will i actually be safe???

 

[CoderGautamYT]

the flat FIXES the exploit, it doesn't cause it

ohhh, nvm

 

[blcgamesweat]

so this only affects hypixel, correct? or does it affect all of minecraft (other servers besides hypixel, realms, etc)? is it guaranteed that i will get a malware if i send messages in chat? when will i actually be safe???

i think it affects other servers aswell.

 

[CoderGautamYT]

so this only affects hypixel, correct? or does it affect all of minecraft (other servers besides hypixel, realms, etc)? is it guaranteed that i will get a malware if i send messages in chat? when will i actually be safe???

any server, i dont think realms count because it's mojang hosted and they wouldn't do that. for now, until this gets fixed, don't join any servers that you can't trust.

 

[oSnek]

ok, thank you, but when will i know it's fixed?

 

[CoderGautamYT]

ok, thank you, but when will i know it's fixed?

not sure, just keep an eye on this thread.