Log4j exploit with Impact client for 1.12.2

[SAPET123]

Is the log4j exploit working with impact for 1.12.2 or is it/ will it be patched? Thats all.

[thatITfox]

if you are running a the official minecraft launcher you can go to advance settings and add -Dlog4j2.formatMsgNoLookups=true to the jvm arguments, well this is what some people told me, i'm not 100% sure. if i'm wrong plz give some feedback

[MyUsernamee]

Is this also patched in 1.16.5?

[thatITfox]

well the article i read told me that it works on older version of minecraft, so it should also work on 1.16

[kitor]

May be not enough to add just this param. While official FAQ doesn't list a solutions for clients, it lists different solutions for 1.12 - 1.16 servers. Someone with better Java experience would need to verify this. https://help.minecraft.net/hc/en-us/articles/4416199399693-Security-Vulnerability-in-Minecraft-Java-Edition

[Coding-Muffin]

@kitor does it mean that the impact is fixed though? Isn't it a separate launcher?

[kitor]

@Coding-Muffin I don't know why you ask me.

Anyway, per official MS FAQ:

Modified clients and third-party launchers might not be automatically updated. In these cases, we recommend following the advice of your third-party provider. If the third-party provider has not patched the vulnerability, or has not stated it is safe to play, you should assume the vulnerability is not fixed and you are at risk by playing.

Have you seen any Impact updates for 12.2 since March of this year?

[Coding-Muffin]

@kitor thought you might know as you have sent a reference to the docs. Tbh I'm pretty sure impact is dead now, as it didn't update since the beginning of the year

[Coding-Muffin]

@kitor there are no daily updates too, its dead... time to go to future I guess...

[kitor]

Not true. There were 1.16.x Impact nightly releases for premium users while test.2b2t.org was resurrected earlier this year.

[Coding-Muffin]

IDK... Discord is also dead though, plus this log4j is not something that is obscure, it's literally a nightmare for so many developers and headline news for 2 weeks Hope impact is not dead though

[TechJack78]

https://wiki.wurstclient.net/log4shell By looking at the: How to test if you are affected section, it looks like its ok if your java is up to date but I'm not sure. I tried it on Impact and I got the not vulnerable result on my single player world. Can anyone else replicate this?

[CesiumCs]

checked with a few guides including that one and it seems like its not vulnerable to the exploit. would still recommend for anyone to test themselves before using the mod online though

[SIMULATAN]

Impact uses mixin which means that as long as vanilla isn't vulnerable Impact isn't too. (Exception: they added the exploit manually which I don't think they did, lol)

[CesiumCs]

right. keeping this open for a while just so it stays visible

[biran4454]

idk much about impact development or the exploit, but I do know that I'm staying well away from using impact in multiplayer, along with any other not-regularly-updated hacked clients (eg. kamiblue etc.) and I'd advise everyone else to stay away from multiplayer as well. wurst has patched it, but wurst is (fittingly) so much worse than impact that idk if I can cope with it. as someone mentioned the discord is dead so there's not really any reliable way to check if it's patched except to wait until it's clearly mentioned by the devs.

[thatITfox]

hey i just found a video on hak5 to test if something is vulnerable to log4shell, https://youtu.be/qjA_vc9Ua5A. i test it on the client and it didn't activate the exploit, let me know if you guys get any results from this

[biran4454]

I've also tried the (very easy) example from https://gaming.stackexchange.com/a/394240 and also https://log4j-tester.trendmicro.com/ . It's not a guarantee obviously, but I didn't get a positive result from either of those tests on singleplayer 1.16.5 java17. I'd suggest still putting Dlog4j2.formatMsgNoLookups=true in your launch settings though, especially if using Impact on anarchy servers.