Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

默认情况下禁止 Minecraft 日志记录中使用 Message Pattern Lookup #1209

Merged
merged 1 commit into from
Dec 10, 2021

Conversation

Glavo
Copy link
Member

@Glavo Glavo commented Dec 9, 2021

Log4j2 被爆出严重的 RCE 漏洞,至目前为止所有版本都存在该漏洞。对于 Minecraft 服务器来说,任何成员只需要向服务器发送带有特定内容的字符串,即可控制服务器执行攻击者想要的命令。(修复见 apache/logging-log4j2#608

由于 Minecraft 客户端允许在网络上共享世界,充当服务器的角色,此时也可能遭受类似的攻击。

该攻击是基于 Log4j2 中的 Message Pattern Lookup 功能,Minecraft 中似乎没有使用该功能,默认禁用它可以避免玩家在使用客户端开服时遭受对应攻击。

@Glavo Glavo marked this pull request as draft December 10, 2021 04:18
@Glavo
Copy link
Member Author

Glavo commented Dec 10, 2021

Forge 似乎在使用这个功能,需要考虑更保守的策略。

@huanghongxun huanghongxun marked this pull request as ready for review December 10, 2021 06:19
@huanghongxun huanghongxun merged commit c31269a into HMCL-dev:javafx Dec 10, 2021
@Glavo Glavo deleted the log4j2 branch December 11, 2021 04:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants