header
logo

Log4J2 JNDI Exploit Fix

Install

This is a tiny client and server, Fabric and Forge mod to fix the Log4J2 exploit that surfaced 2021-12-10 and may lead to crashes, stalls or remote code execution in some cases.

 

Instead of using this mod you should update your mod loader to the following versions, if possible:

- Fabric Loader 0.12.12+ for all MC versions

- Forge 1.18.1-39.0.0+ for MC 1.18.1

- Forge 1.18-38.0.17+ for MC 1.18
- Forge 1.17.1-37.1.1+ for MC 1.17.1
- Forge 1.16.5-36.2.20+ for MC 1.16.5
- Forge 1.15.2-31.2.56+ for MC 1.15.2
- Forge 1.14.4-28.2.25+ for MC 1.14.4
- Forge 1.13.2-25.0.222+ for MC 1.13.2
- Forge 1.12.2-14.23.5.2857+ for MC 1.12.2

If your want to play Minecraft versions between 1.7 and 1.18 that are not in this list or you want to use mods that are incompatible with the updated mod loader versions, the Log4J2 JNDI Exploit Fix mod is a decent option.

 

This mod works by removing a highly problematic log content remote lookup feature, which is not used otherwise. If unmitigated anyone can draft a malicious chat or disconnect message, use mis-framed packets or other forms of activity that involves generating user controlled log output to exploit the bug. Since both client and server log, they are equally at risk.

 

Minecraft, CurseForge and Fabric Loader mitigated the problem in their launcher, but servers and some old versions remain vulnerable at the time of writing.

 

Likely fixed by their platform are currently and thus don't need the mod:

- Vanilla client

- Updated Fabric client or server (Fabric Loader 0.12.12+)

- Updated Forge 1.12+ client and server

- 1.18.1-rc3+ client and server

- Any client and server manually mitigated as per https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition

 

Likely vulnerable are currently and thus need the mod:

- Unmitigated Vanilla server older than 1.18.1-rc3

- Outdated Fabric or Forge server

- Outdated Fabric or Forge client

- Forge client or server older than 1.12

 

 

 Incompatible with the mod:

- Forge 1.17+ due to its module encapsulation - use the Java/JVM argument -Dlog4j2.formatMsgNoLookups=true instead (only works for 1.17+!)

- Fabric with Loader 0.12.10+ as it comes with a similar fix, use Fabric Loader 0.12.12 instead of this mod

 

There should be no harm in using the mod even if it is not necessary outside the above incompatibilities. It does a small one time operation at startup to remove the superfluous but exploitable JNDI lookup mechanism.

 

There is no guarantee that the mod definitely fixes the exploit, but it acts on a fundamental level. It does not prevent exploiting messages from traversing the server to other clients.