Minecraft 1.18 Remote Code Exploit cover

Latest News

[Updated] Mojang Launches Fix for Minecraft Servers Affected By Apache Remote Code Exploit

December 9, 2021

By: Robert N. Adams

 
 
More Info About This Game
Developer
Mojang
Publisher
Xbox Game Studios
Release Date
May 17,2009 (Calendar)
Purchase (Some links may be affiliated)

Update (December 10, 2021, 2:13 PM Eastern Time) - Mojang has released Minecraft 1.18.1 to address a security vulnerability in Minecraft servers due to Log4J.

"Hello everyone! Earlier today, we identified a vulnerability in the form of an exploit within Log4j – a common Java logging library," read an article on the Minecraft website. "This exploit affects many services – including Minecraft Java Edition."

 

"This vulnerability poses a potential risk of your computer being compromised, and while this exploit has been addressed with all versions of the game client patched, you still need to take the following steps to secure your game and your servers."

Most players will simply need to restart their client to update the game and deploy the fix. Server owners will need to upgrade their server in the usual fashion, if possible, or add a JVM argument to the server's startup command line. Modded servers will need to download a file and add a different JVM argument to the startup command line; versions below 1.7 are not affected by this vulnerability.

 
 

You can read about what you need to do to protect yourself in Minecraft multiplayer in today's article on the Minecraft website.

Our original story continues below.

 
 

A  security vulnerability has been discovered in Apache Log4J 2, which could affect Minecraft multiplayer servers and allow remote code execution.

The last few months have been pretty great for Minecraft. We got a hint at the next new mob, the surprising reveal of a team-up with Disney, and the release of Caves and Cliffs Part 2. Unfortunately, it's Minecraft's turn for a bit of bad news -- a critical security exploit has been found in software that its multiplayer services are dependent on.

Minecraft Remote Code Exploit slice

What is Going On With Minecraft Multiplayer Servers and Apache Log4J 2?

A security vulnerability has apparently been discovered in Apache Log4J 2, a logging and tracing API that is used with Apache servers. Unfortunately, Minecraft is one of the many games whose multiplayer servers use this logging software behind the scenes.

 
 

"Basically, due to the logging library not cleaning up inputs properly, people can literally type a message in chat on a server, which would then be logged by other people's clients, and be used to do bad things (remote code execution/injection perhaps?)," read a submission on the /r/Hypixel subreddit I don't know about the specifics, but to the best of my knowledge, this is a very, very severe issue."

Unfortunately, there are a lot of unknowns here. Based on what we know, it is possible that someone in a multiplayer server could execute remote code on your computer through Minecraft. However, this Apache Log 4J 2 exploit was just disclosed today, so there haven't been any notable real-world cases of it happening.

Considering the widespread use of Apache (and Minecraft's popularity around the world), it's probably best to stay away from multiplayer for the next day or two until this issue is sorted out -- just in case. On the upside, single-player should be unaffected by this issue; you can jump into the game by buying Minecraft on PC, consoles, and mobile devices via its official website.

Have you ever encountered hackers in Minecraft? What's the worst technical issue you've encountered in the game? Let us know in the comments below!