any plan to mitigate log4j 0day cve?

[ghost]

maybe we should update log4j (to 2.17.0 I suppose) in akarin to mitigate the exploit, as I found that akarin use a low version log4j and I can easily exploit the vulnerability (by simply type something like ${jndi:ldap://.....} in the chat box (I have trouble fixing by using -Dlog4j2.formatMsgNoLookups=true, it not work). I'm currently trying to solve this by modifying the version in pom but I'm not sure whether it is ok. In 1.12.2 I can change the log4j version used by akarin in /sources/pom.xml but paper seems to use another one, (I haven't tested this method as I'm having trouble in compiling.) For higher version maybe just copy the patch file from upstream is okay?

[josephworks]

I am aware of these CVEs. Patches to fix these will be accepted.

[FatSaw]

I tried build akarin with log4j 2.17.0. And it not fix exploit. Maybe problem in Akarin dependencies. LegacyLauncher use old log4j.

[josephworks]

I don't believe that we provide LegacyLauncher. Might be able to exclude log4j from the LegacyLauncher lib in the pom.xml.

[ghost]

Maybe we should modify the maven shade plugin config? Different OS might have different building behavior :(

[ghost]

I will try to fix this but I'm too busy now to work on it.

[FatSaw]

It's authlib with log4j 2.8.1,after paper-api build. authlib pom

[FatSaw]

It should fix log4j 0day cve #227

[FatSaw]

Problem solved for 1.12.2, we can close issue.