PSA: there is a fatal remote code execution exploit in minecraft, and it's by typing in chat

[Ticha]

hypixel I believe has a fix for this issue which is adding the java argument to their server. its every server that hasn't patched it themselves, don't have a plugin to patch it, or arent on a patched version of Minecraft. Realms I don't know if they are affected. It is not guaranteed that an attacker will execute the code through chat but if they do you will be affected unless you have modified your arguments to fix it.

actually the argument doesn't work in older versions of the game apparently, what hypixel did was just add a chat filter to prevent the exploit messages from being sent

 

[Legorocks2122]

Do you have any other sources for this?

hypixel discord last night admin spoke for the first time since 1989

 

[BashBushYT]

yeah this isn't a joke
basically talking in chat from 1.8 to 1.18 in a server will expose you to an exploit which could run any code in your machine, ie ransomware, token loggers, etc.
hypixel already patched this but there are some ways to fix this for yourself (this only work 1.17-1.18 except the spigot patch)
if you run a server:
1.8-1.18: update spigot to the latest version
- add the following java argument:

-Dlog4j2.formatMsgNoLookups=true

- update the server fabric version to 0.19.9
if you want to play normally:
- add the following java argument to your launcher:

-Dlog4j2.formatMsgNoLookups=true

- update the fabric mod loader to 0.19.9
HOWEVER
this bug can be somewhat mitigated by updating to a newer version of java, the one that the official launcher used to ship (now it ships a better one) was very outdated and had this problem, please download a newer version of java from either the following links if you use multimc or another launcher:
adoptium (openjdk) (windows and x64 only, for other architectures or operating systems please click here)
oracle (java 8 311)
some more info: lunar and labymod already patched this clientside, idk about badlion but it's bad so who cares

please spread these news around and stay safe

well crap.

 

[Reconsiderings]

LABYMOD IS THE BEST

 

[MarineLyric65]

If Mojang knew about this exploit they would have taken steps to save the world from it. They wouldn't have shipped vulnerable Minecraft versions.

This works on Realms, servers, LAN worlds, single-player—all that has to happen is your client has to log a certain string, like a certain chat message, and that has the potential to remotely execute code on your machine. So if other players can send you chat messages, you're vulnerable. Servers can block the chat messages, and maybe Realms has already done that.



Side note—reading through these threads, the people on this forum are actually idiots. Everyone's like 11 years old.

Mojang have patched it, however they cannot remove it as it is a feature in java which is owned by oracle

 

[songreaver]

Although this might have been answered, with versions before 1.11 being invulnerable, will this include clients like forge for pre 1.11?

 

[RedCanyonGaming]

So is it safe to use minecraft 1.8 on Hypixel now? With optifine?