1.7-1.11.2 Log4j mitigation can be bypassed

The bug

The Log4j 2 RCE mitigation for Minecraft versions 1.7-1.11.2 can be bypassed. The issue is that the used regex pattern uses the dot (.), which by default does not match line breaks. Therefore when the log message contains line breaks it won't be discarded.

This can probably be solved by including the DOTALL flag (?s) at the beginning of the regex pattern. But please have a second look that this indeed solves the issue.

For whatever reason I was only able to reproduce this with the dedicated server. In singleplayer the pattern was logged as well, but was apparently not evaluated.

Reproduction steps

1. Download the 1.11 dedicated server
2. Download the mitigation log config log4j2_17-111.xml from https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
3. Start the dedicated server with the log config

   java "-Dlog4j.configurationFile=log4j2_17-111.xml" -jar server.jar
   

4. Join the server
5. Type the following in chat

   test ${sys:java.home}
   

6. Check the log file / console
   The text did not appear in the log, as expected. Note: In case it did appear in the log, make sure you correctly started the server with the log config.
7. Use the following command

   /setblock ~ ~ ~ standing_sign default replace {Text1:"{\"text\":\"Click me\",\"clickEvent\":{\"action\":\"run_command\",\"value\":\"say ${sys:java.home} \na\"}}",Text2:"[\"\"]",Text3:"[\"\"]",Text4:"[\"\"]"}
   

8. Right-click the sign
9. Check the log file / console
   The log cotains the substituted value, e.g. "C:\Program Files\..."

Note that this might not be limited to commands.