bump Log4j version to >2.17 - Githubissues

MultiMC / Launcher

A custom launcher for Minecraft that allows you to easily manage multiple installations of Minecraft at once

https://multimc.org/

Other

4.32k stars 882 forks source link

bump Log4j version to >2.17 #4917

Closed JasonBuckner closed 2 years ago

JasonBuckner commented 2 years ago

Role

I play vanilla & modded Minecraft on servers.

Suggestion

address this Apache Log4j Security Vulnerability

Benefit

Apache Log4j Security Vulnerabilities are frowny face emoji and I'd like to be able to Minecraft again.

This suggestion is unique

[X] I have searched the issue tracker and did not find an issue describing my suggestion, especially not one that has been rejected.

You may use the editor below to elaborate further.

CVE-2021-44832 is a lovely vulnerability that impacts all versions of Log4j from 2.0-beta7 to 2.17.0, excluding 2.3.2 and 2.12.4. See also #4349.

Personally, I'm running Java 8 (for REASONS) and am stuck with version 2.0-beta9-fixed of Log4j.

phit commented 2 years ago

all versions you get in multimc are patched already

phit commented 2 years ago

https://multimc.org/posts/log4j-remote-execution.html

JasonBuckner commented 2 years ago

Thanks for the speedy reply! My mistake. Wrong link. I intended to use this one: Apache Log4j Security Vulnerabilities That page was last updated (with a new vulnerability) on 2022-09-13.

It's my understanding that the version recommended in the article that @phit linked, and the one that I'm using (2.0-beta9-fixed), is still vulnerable (or perhaps has recently been discovered to be vulnerable).

Is that not the case?

phit commented 2 years ago

I don't see a new CVE on that page? The Jndi Lookup has been completely removed in the fixed version so unless there's a new class of vulnerabilities found, it should not affect us.

JasonBuckner commented 2 years ago

Arctic Wolf is complaining about CVE-2021-44228... so, I donno.

phit commented 2 years ago

yeah that's old and patched

JasonBuckner commented 2 years ago

Sorry to be a pest, but just to verify... this output from Arctic Wolf Log4Shell Deep Scan is nothing to worry about, right?

Result: FAIL The following Java applications contain Log4j JndiLookup, do not appear to have been updated to Log4J 2.16+ or Log4J 2.12.2+, and are likely subject to Log4Shell (CVE-2021-44228, CVE-2021-45046).

C:...\MultiMC\libraries\com\mojang\netty\1.8.8\netty-1.8.8.jar

C:...\MultiMC\libraries\com\mojang\patchy\1.3.9\patchy-1.3.9.jar

C:...\MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9\log4j-core-2.0-beta9.jar

C:...\MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9-fixed\log4j-core-2.0-beta9-fixed.jar

C:...\MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.11.2\log4j-core-2.11.2.jar

C:...\MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.8.1\log4j-core-2.8.1.jar

For remediation steps, contact the vendor of each affected application.

phit commented 2 years ago

right, though this one MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9\log4j-core-2.0-beta9.jar can be deleted, nothing should be using it anymore

StripedTailz commented 2 months ago

I'm looking for "log4j-core-2.0-beta9-fixed.jar" as my minecraft launcher cannot download from this link "https://intent.store/resources/org/apache/logging/log4j/log4j-core/2.0-beta9/log4j-core-2.0-beta9-fixed.jar" does anyone have this file?

phit commented 2 months ago

https://files.multimc.org/maven/org/apache/logging/log4j/log4j-api/2.0-beta9-fixed/log4j-api-2.0-beta9-fixed.jar