A serious security problem has been discovered in Log4j, a popular and widely used message log library created under the Java programming language and which, among other platforms and systems, is affecting Minecraft.
This vulnerability (named CVE-2021-44228) has been classified as severe, since according to the registry of the CVE organization (Common Vulnerabilities and Exposures), “An attacker who can control messages or registry parameters, can execute arbitrary code that is loaded from another server.”
As explained by the cybersecurity agency From the New Zealand government, the vulnerability affects any program, service or system that uses the Log4j library in all versions between 2.0 and 2.14.1. Worse still, it also indicates that there are already reports that malicious actors are trying to exploit this vulnerability and it is likely not for the very correct purposes.
At the time of publishing this article, Apache has already released a first fix and the recommendation is, for those who use Log4j on their systems, to update to version 2.15.0.
Now, this is a serious problem that will mainly affect large companies that use it on their systems. Among others, it has been mentioned that Apple, Twitter, Steam and Amazon are with an open security flank and that they will have to correct as soon as they can.
But the case of Minecraft It is somewhat more complex, being one of the best-selling -and popular- video games in history. Minecraft It uses Log4j in its Java-based version and fortunately, Mojang has already released an update that avoids the problem. In addition, they are asking all players who play on the computer with the Java version to update as soon as possible.
Player safety is the top priority for us. Unfortunately, earlier today we identified a security vulnerability in Minecraft: Java Edition.
The issue is patched, but please follow these steps to secure your game client and / or servers. Please RT to amplify.https://t.co/4Ji8nsvpHf
& mdash; Minecraft (@Minecraft) December 10, 2021
For now, it is too early to know what the real scope of this vulnerability will be, which has many security experts on edge.