Minecraft: Java Edition should be patched immediately after severe exploit discovered across web

The Apache Log4j exploit may impact Minecraft: Java Edition, Amazon, Twitter and many more, but can be mitigated.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A far-reaching zero-day security vulnerability has been discovered that could allow for remote code execution by nefarious actors on a server, and which could impact heaps of online applications, including Minecraft: Java Edition, Steam, Twitter, and many more if left unchecked.

The exploit ID’d as CVE-2021-44228, which is marked as9.8 on the severity scale by Red Hatbut is fresh enough that it’s stillawaiting analysis by NVD. It sits within the widely-used Apache Log4j Java-based logging library, and the danger lies in how it enables a user to run code on a server—potentially taking over complete control without proper access or authority, through the use of log messages.

Minecraft update: What’s new?Minecraft skins: New looksMinecraft mods:  Beyond vanillaMinecraft shaders: SpotlightMinecraft seeds: Fresh new worldsMinecraft texture packs: PixelatedMinecraft servers: Online worldsMinecraft commands: All cheats

“An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled,“the CVE ID description states.

The issue could affect Minecraft: Java Edition, Tencent, Apple, Twitter, Amazon, and many more online service providers. That’s because while Java isn’t so common for users anymore, it is still widely used in enterprise applications. Fortunately, Valve said that Steam is not impacted by the issue.

“We immediately reviewed our services that use log4j and verified that our network security rules blocked downloading and executing untrusted code,” a Valve representative told PC Gamer. “We do not believe there are any risks to Steam associated with this vulnerability.”

As for a fix, there are thankfully a few options. The issue reportedly affects log4j versions between 2.0 and 2.14.1. Upgrading to Apache Log4j version 2.15 is the best course of action to mitigate the issue, as outlined on the Apache Log4j security vulnerability page. Although, users of older versions may also be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath.

If you’re running a server using Apache, such as your own Minecraft Java server, you will want to upgrade immediately to the newer version or patch your older version as above to ensure your server is protected. Similarly, Mojang has released a patch to secure user’s game clients, and further details can be foundhere.

The biggest gaming news, reviews and hardware deals

Keep up to date with the most important stories and the best deals, as picked by the PC Gamer team.

Player safety is the top priority for us. Unfortunately, earlier today we identified a security vulnerability in Minecraft: Java Edition.The issue is patched, but please follow these steps to secure your game client and/or servers. Please RT to amplify.https://t.co/4Ji8nsvpHfDecember 10, 2021

The long-term fear is that, while those in the know will now mitigate the potentially dangerous flaw, there will be many more left in the dark who will not and may leave the flaw unpatched for a long period of time.

Many already fear the vulnerability is being exploited already, includingCERT NZ. As such, many enterprise and cloud users will likely be rushing to patch out the impact as quickly as possible.

“Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately,” Security firm Randori saysin a blog post on the vulnerability.

Jacob earned his first byline writing for his own tech blog. From there, he graduated to professionally breaking things as hardware writer at PCGamesN, and would go on to run the team as hardware editor. He joined PC Gamer’s top staff as senior hardware editor before becoming managing editor of the hardware team, and you’ll now find him reporting on the latest developments in the technology and gaming industries and testing the newest PC components.

Undead Labs wants to be known for more than just zombies, and State of Decay 3 could mark that changing point with ‘a much greater level of ambition’

As a survival game fan I finally got around to reading Robinson Crusoe, and wow, that dude was definitely playing in creative mode

Take-Two CEO says Grand Theft Auto 6 is on track for ‘fall’ next year, GTA 5 has sold over 205 million, and ‘PC will be more and more a part of [our] business going forward’