There has been a vulnerability identified in a common Java login library Log4j. This vulnerability affects Java Minecraft servers and clients. You can find the official statement from Mojang on this vulnerability here. Their article also contains the steps you need to take to protect yourself.
Per the Mojang article, part of the required fix is to add certain JVM arguments to your startup command line. This can be done by following the instructions below.
If you’re hosting your own Minecraft: Java Edition server, you'll need to take different steps depending on which version you’re using, in order to secure it.
1.18: Upgrade to 1.18.2, if possible. If not, use the same approach as for 1.17.x:
1.17: Add the following JVM arguments to your startup command line:
1.12-1.16.5: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line:
1.7-1.11.2: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line:
Versions below 1.7 are not affected
Thankfully the Minecraft community is amazing, and most of the server versions have been patched, and do not require any fixes as long as you're running the latest builds. As of the writing of this article, the latest builds of the following versions have all been patched and do not require any fixes.
Fabric Loader 0.12.10+
Forge 1.18 (38.0.17)
Forge 1.17.1 (37.1.1)
Forge 1.16.5 (36.2.20)
Forge 1.15.2 (31.2.56)
Forge 1.14.4 (28.2.25)
Forge 1.13.2 (18.104.22.168)
Forge 1.12.2 (22.214.171.12457)
Vanilla 1.7 to 1.18.2
If you are running anything else, it's best to proceed with caution and either update (recommended) or apply the fix mentioned by Mojang.