How can I check if my Minecraft client is vulnerable to Log4j?

I know that the Log4Shell exploit in Log4j allows attackers to run arbitrary commands on people's computers, and that Minecraft is vulnerable. Is there a Minecraft server that I can join which will tell me if my client is patched or if I'm vulnerable? If not, is there another way that I can check if the vulnerability exists on my system?

minecraft-java-edition

Best Answer

A second option, if you're a little more paranoid and/or interested in the technical details, is to try using ${java:version} as a harmless indicator of vulnerability to CVE-2021-44228. This should work for both servers and clients, I'll focus on clients here but some brief notes on servers are included just for fun.

First, you'll need a way to view the logs. This can either be the debug log for the client, which you can enable in the launcher, the console if you're running a server, or by opening and reading the most recent entry in your logs folder for either (for the client, this can be found at %AppData%/Roaming/.minecraft on windows, ~/Library/Application Support/minecraft on Mac, or ~/.minecraft on linux).

Now, you can open a single-player world, and type ${java:version} in chat. In your log, you should see one of two things: the unmodified message ${java:version}, or something like Java Version [some numbers]. If it's the first, and what you typed in is unchanged, you should be safe. If it gets changed to indicate the Java version, you are vulnerable.

It should go without saying, but do not try anything you don't understand (things like ${jndi:...}), and if you're running a server or a world open to LAN, be extra careful to block the port it's running on (so other people can't also exploit the vulnerability).

Pictures about "How can I check if my Minecraft client is vulnerable to Log4j?"

How can I check if my Minecraft client is vulnerable to Log4j? - Crop anonymous female customer in protective mask reading label on frozen food in plastic container in grocery store

How can I check if my Minecraft client is vulnerable to Log4j? - Concentrated female medical specialist using professional tool for checking vision of patient in contemporary ophthalmology clinic

How can I check if my Minecraft client is vulnerable to Log4j? - Cheerful black woman sitting in dental chair of modern dentist office and checking teeth implant while looking away

Is my Minecraft server vulnerable to Log4j?

The first thing you need to do is to check which version of Minecraft you're running on your server. The Log4J exploit only affects Minecraft version 1.7 and above \u2014 so if you have Minecraft 1.6, for example, you're in the clear. Now, the first thing you should try is to update your Minecraft to version 1.18.

What versions of Minecraft are vulnerable to Log4j?

The Spigot gaming forum said that Minecraft versions 1.8. 8 through the most current 1.18 release are all vulnerable, as did other popular game servers such as Wynncraft.

Is Minecraft Forge safe from Log4j?

As for the log4j vulnerability, basically all Minecraft clients are not protected against this vulnerability (If you didn't restart your Minecraft launcher and client, of course.) This includes Forge of course, so re-installing your Forge is critical.

Is Log4j fixed on Hypixel?

It's mostly fixed. It's completely fixed if you have windows 11 or Java 8 (you can download java 8 on their website.)

How to test if your Minecraft installation is safe from Log4j exploit

Sources: Stack Exchange - This article follows the attribution requirements of Stack Exchange and is licensed under CC BY-SA 3.0.

Images: RF._.studio, Laura James, Ksenia Chernaya, Anna Shvets