A far-reaching zero-day security vulnerability has been discovered that may allow malicious actors to remotely execute code on the server and may affect a large number of online applications, including Minecraft: Java Edition, Steam, Twitter, etc. Unchecked.
The exploit ID is CVE-2021-44228, marked as 9.8 Red Hat severity rating But fresh enough, it still Waiting for NVD analysisIt is located in the widely used Java-based Apache Log4j logging library. The danger lies in how it enables users to run code on the server-by using log messages, it may take over full control without proper access or authorization.
“When message search and replacement is enabled, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from the LDAP server,” CVE ID description status.
This issue may affect Minecraft: Java Edition, Tencent, Apple, Twitter, Amazon and more online service providers. That’s because although Java is no longer so common to users, it is still widely used in enterprise applications. Fortunately, Valve stated that Steam is not affected by this issue.
“We immediately reviewed our use of log4j services and confirmed that our network security rules prevent downloading and execution of untrusted code,” a Valve representative told PC Gamer. “We do not believe that Steam poses any risks related to this vulnerability.”
As for the repair, fortunately there are several options. According to reports, this issue affects log4j versions between 2.0 and 2.14.1. Upgrading to Apache Log4j version 2.15 is the best course of action to alleviate this problem, as described in the Apache Log4j security vulnerability page. Nevertheless, users of older versions can also be relieved by setting the system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.
If you are using Apache to run a server, such as your own Minecraft Java server, you will need to immediately upgrade to a newer version or patch the old version as described above to ensure that your server is protected.Similarly, Mojang also released a patch to protect the user’s game client, more details can be found here.
Player safety is our top priority. Unfortunately, earlier today we discovered a security hole in Minecraft: Java Edition. This issue has been fixed, but please follow the steps below to protect your game client and/or server. Please forward to enlarge. https://t.co/4Ji8nsvpHfDecember 10, 2021
The long-term concern is that although those who know will now alleviate potentially dangerous flaws, many more people will not and may not repair flaws in the dark for a long time.
Many people are already worried that the vulnerability has been exploited, including New Zealand Certification CenterTherefore, many enterprises and cloud users may be eager to fix the impact as soon as possible.
“Because of its ease of use and wide application, we suspect that ransomware attackers will immediately start exploiting this vulnerability,” said security company Randori In a blog post about the vulnerability.