Log4j Exploit Fixes

Demosthenex · December 11, 2021, 4:49pm

Server has -Dlog4j2.formatMsgNoLookups=true and Important Message: Security vulnerability in Java Edition | Minecraft xml config applied with -Dlog4j.configurationFile=log4j2_17-111.xml

On client, sent chat message with

${jndi:ldap://127.0.0.1/a}

Client crashed with “Internal error” message.

On server, process kept running and logged:

[17:43:17] [Server thread/WARN]: Failed to handle packet for /10.66.69.201:65082
java.lang.IllegalArgumentException: Illegal character in path at index 18: ldap://127.0.
0.1/a}
at java.net.URI.create(URI.java:852) ~[?:1.8.0_265]
at net.minecraftforge.common.ForgeHooks.newChatWithLinks(ForgeHooks.java:417) ~[
ForgeHooks.class:?]
at net.minecraft.network.NetHandlerPlayServer.func_147354_a(NetHandlerPlayServer
.java:722) ~[nh.class:?]
at net.minecraft.network.play.client.C01PacketChatMessage.func_148833_a(SourceFi
le:37) ~[ir.class:?]
at net.minecraft.network.play.client.C01PacketChatMessage.func_148833_a(SourceFi
le:9) ~[ir.class:?]
at net.minecraft.network.NetworkManager.func_74428_b(NetworkManager.java:212) ~[
ej.class:?]
at net.minecraft.network.NetworkSystem.func_151269_c(NetworkSystem.java:165) [nc
.class:?]
at net.minecraft.server.MinecraftServer.func_71190_q(MinecraftServer.java:659) [
MinecraftServer.class:?]
at net.minecraft.server.dedicated.DedicatedServer.func_71190_q(DedicatedServer.j
ava:334) [lt.class:?]
at net.minecraft.server.MinecraftServer.func_71217_p(MinecraftServer.java:547) [
MinecraftServer.class:?]
at fastcraft.u.a(F:289) [FastCraft.jar:?]
at fastcraft.H.aq(F:36) [FastCraft.jar:?]
at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:396) [Minecraft
Server.class:?]
at net.minecraft.server.MinecraftServer$2.run(MinecraftServer.java:685) [li.clas
s:?]
Caused by: java.net.URISyntaxException: Illegal character in path at index 18: ldap://12
7.0.0.1/a}
at java.net.URI$Parser.fail(URI.java:2848) ~[?:1.8.0_265]
at java.net.URI$Parser.checkChars(URI.java:3021) ~[?:1.8.0_265]
at java.net.URI$Parser.parseHierarchical(URI.java:3105) ~[?:1.8.0_265]
at java.net.URI$Parser.parse(URI.java:3053) ~[?:1.8.0_265]
at java.net.URI.(URI.java:588) ~[?:1.8.0_265]
at java.net.URI.create(URI.java:850) ~[?:1.8.0_265]
… 13 more

does that mean successfully patched and not vulnerable?