Security Vulnerability in Minecraft: Java Edition

There has been a vulnerability identified in a common Java login library Log4j. This vulnerability affects Java Minecraft servers and clients. You can find the official statement from Mojang on this vulnerability here. Their article also contains the steps you need to take to protect yourself.

Per the Mojang article, part of the required fix is to add certain JVM arguments to your startup command line. This can be done by following the instructions below.

If you’re hosting your own Minecraft: Java Edition server, you'll need to take different steps depending on which version you’re using, in order to secure it.

  1. 1.18: Upgrade to 1.18.2, if possible. If not, use the same approach as for 1.17.x:

  2. 1.17: Add the following JVM arguments to your startup command line: 

    -Dlog4j2.formatMsgNoLookups=true

  3. 1.12-1.16.5: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line: 

    -Dlog4j.configurationFile=log4j2_112-116.xml

  4. 1.7-1.11.2: Download this file to the working directory where your server runs. Then add the following JVM arguments to your  startup command line: 

    -Dlog4j.configurationFile=log4j2_17-111.xml

  5. Versions below 1.7 are not affected

Thankfully the Minecraft community is amazing, and most of the server versions have been patched, and do not require any fixes as long as you're running the latest builds. As of the writing of this article, the latest builds of the following versions have all been patched and do not require any fixes.

Bungeecord
Paper Waterfall
CraftBukkit 1.18.1
Fabric Loader 0.12.10+
Forge 1.18 (38.0.17)
Forge 1.17.1 (37.1.1)
Forge 1.16.5 (36.2.20)
Forge 1.15.2 (31.2.56)
Forge 1.14.4 (28.2.25)
Forge 1.13.2 (2.25.0.222)
Forge 1.12.2 (14.23.5.2857)
Paper 1.18.1
Paper 1.18
Paper 1.17.1
Paper 1.16.5
Paper 1.15.2
Paper 1.14.4
Paper 1.13.2
Paper 1.12.2
Paper 1.10.2
Spigot 1.18.1
Spigot 1.18
Spigot 1.17.1
Spigot 1.17
Spigot 1.16.5
Spigot 1.15.2
Spigot 1.14.4
Spigot 1.13.2
Spigot 1.12.2
Spigot 1.11.2
Spigot 1.10.2
Spigot 1.9.4
Spigot 1.8.8
Vanilla 1.7 to 1.18.2

If you are running anything else, it's best to proceed with caution and either update (recommended) or apply the fix mentioned by Mojang.

test avatar image
Bruno Ribeiro

We are prepared to help and look for solutions to your problems, We are dedicated and love what we do😉

Join other players on mc.devcode.pt