Log4j and Log4Shell vulnerability CVE-2021-44228

MinecraftServerControl / mscs

Powerful command-line control for UNIX and Linux powered Minecraft servers

https://minecraftservercontrol.github.io

BSD 2-Clause "Simplified" License

489 stars 62 forks source link

Log4j and Log4Shell vulnerability CVE-2021-44228 #301

Open estepix opened 2 years ago

estepix commented 2 years ago

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Hi I was wondering if you will upgrade MSCS to use log4j 2.15 since at the moment it downloads the vulnerable version 2.14.1, not sure the vulnerability affects MSCS though, since Minecraft reports that MC v1.18.1 is already fixed.

To be on the safe side, I have added this to my mscs.defaults:

mscs-default-jvm-args=-Dlog4j2.formatMsgNoLookups=true

As recommended by Minecraft for server versions 1.17.x and 1.18

Thanks very much in advance

sandain commented 2 years ago

Hi @estepix.

First off, MSCS does not use log4j. I'm not aware of how it gets installed, if certain addons install it, or if it comes bundled with Minecraft itself. According to Mojang, version 1.18.1 is safe to use. However, it probably is a good idea to add the workaround to the JVM args as you have done for servers running version 1.17. Servers running older software should look here for more information.

I don't plan on making any changes to the script due to this CVE unless I'm convinced otherwise. However, I think it would be best to leave this issue open so that other server admins will see it.

izcet commented 2 years ago

There are additional jvm flags associated with this vulnerability that may still lead to exploitation. If you want to run a minecraft server built with a vulnerable version of log4j (read: pre 1.18.1), you should use the following:

-Dlog4j2.formatMsgNoLookups=true
-Dcom.sun.jndi.rmi.object.trustURLCodebase=false
-Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false

jwbrase commented 2 years ago

The instructions at https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition?ref=launcher say that for versions 1.12-1.16.5, you download a provided file, log4j2_112-116.xml, to the server's working directory, then add -Dlog4j.configurationFile=log4j2_112-116.xml to command line for the server. Just to confirm, the working directory for a server running under mscs will be /opt/mscs/worlds/worldname (or ~user/mscs/worlds/worldname for a multi-user installation), correct?

sandain commented 2 years ago

Hi @jwbrase. I would think the best way to do this would be to save the xml file to the server folder /opt/mscs/server and use the mscs-jvm-args option:

mscs-jvm-args=-Dlog4j.configurationFile=/opt/mscs/server/log4j2_112-116.xml

sandain commented 2 years ago

See the documentation for using these options: https://minecraftservercontrol.github.io/docs/mscs/adjusting-world-server-properties#individual-world-properties