Update your Minecraft Servers. Security Issues!

announcements
1

Details from Minecraft: https://www.minecraft.net/de-de/article/important-message--security-vulnerability-java-edition?ref=launcher (thanks @IfeelKindaSick)

Important security update for Minecraft Servers. If you’re running a Minecraft server please update your run.bat file and add -Dlog4j2.formatMsgNoLookups=true. There is a Java Exploit out in the wild.

Old:

java -Xmx1024M -Xms1024M -jar server.jar nogui

New:

java -Xmx1024M -Xms1024M -Dlog4j2.formatMsgNoLookups=true -jar server.jar nogui

More details on the security vulnerability: Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet | Ars Technica

2 Likes
2

Patrick. This does NOT work for most modded servers, as that arguement was added in 1.16+ according to what I read. Here’s a post detailing how to implement a fix for 1.12.2. Please spread for the folks who didn’t click in to the forum.

https://hypixel.net/threads/understanding-the-recent-rce-exploit-for-minecraft-and-what-it-actually-means.4703643/#post-33928741

3

Is this even a concern if I only play with friends and the IP isn’t public?

4

Thanks! Updated the announcement in discord to link to your comment.

5

If you have whitelist on your server, you should be okay. In general it’s a good idea to apply the update to be safe. There may be other ways for someone to exploit it. Also just because your IP isn’t public, doesn’t mean there isn’t someone scanning the internet for Minecraft servers and that they won’t find it.

6

Microsofts own blogpost is more concise https://www.minecraft.net/de-de/article/important-message--security-vulnerability-java-edition?ref=launcher

1 Like
7

:grimacing: Yikes. Thanks for the heads up. I didn’t even know that there were security flaws with/in Minecraft.