Mojang Studios, a Swedish video game company, has issued an urgent Minecraft security update to fix a severe problem in the Apache Log4j Java logging library employed by the game’s Java Edition client and multiplayer servers. With the Minecraft: Java Edition 1.18.1 launch, the flaw has been addressed and rolled out to all customers.
According to the company, “this release fixes a critical security issue for multiplayer servers, changes how the world fog works to make more of the world visible and fixes a couple of other bugs.”
“If you are running a multiplayer server, we highly encourage you to upgrade to this version as soon as possible.”
To update to the patched version, Mojang’s official game client users should quit all open game and Minecraft Launcher instances and restart the Launcher, which will automatically apply the fix. Gamers who use third-party launchers and customized Minecraft clients should contact their third-party suppliers for a security update.
Those who want to run their Minecraft: Java Edition servers will need to follow these methods, which vary based on the edition. The flaw, called Log4Shell or Logjam and currently listed as CVE-2021-44228, is a remote code execution (RCE) hole discovered in the widely used Apache Log4j Java-based logging library and disclosed by Alibaba Cloud’s security team.
It affects the default configurations of several Apache frameworks, including Apache Struts2, Apache Druid, Apache Solr, and Apache Flink, which are employed by various enterprise software products including Apple, Cloudflare, Steam, Amazon, Twitter, and others.
Attackers are already mass-searching the Internet [1, 2] for susceptible computers, and they are actively exploiting it in the wild, according to a CERT NZ security report. Coalition Director Of Engineering – Security Tiago Henriques and security expert Kevin Beaumont corroborated this.
Log4j 2.15.0 has already been issued by Apache to solve this critical vulnerability. Setting the system property “log4j2.formatMsgNoLookups” to “true” or expelling the JndiLookup class from the classpath can also alleviate CVE-2021-44228 in past releases (2.10 and later).
The seriousness of CVE-2021-44228 exploits was previously highlighted by security firm Lunasec, which stated that many, many services are vulnerable to this flaw. Security issues have already been discovered in cloud services like Steam and Apple iCloud, as well as programs like Minecraft.