User:JerryHan3/Sandbox/Tutorials/Fix Apache Log4j2 vulnerability

This tutorial introduces how to fix Apache Log4j2 vulnerablity.

Cause
Apache Log4j2, an open source Java logging tool, has been exposed to a high-risk remote code execution vulnerability. Since most versions of Minecraft: Java Edition use this logging tool, most Minecraft players are likely to be vulnerable due to this vulnerability.

Hazards
The attacker can use the vulnerability to execute any commands on the player's computer without authorization, which include downloading viruses, taking system resources, stealing privacy and other malicious commands. Due to the wide range of the vulnerability and the low threshold of exploitation, it will bring a very severe security risk to players.

Range of Impact

 * All clients and servers of Minecraft: Java Edition between 13w39a and 1.18.1 Release Candidate 2, which includes:
 * Vanila clients and servers;
 * Modded clients and servers;
 * Most third-party servers, such as Paper, Spigot, etc.;
 * Other Java versions of clients and servers that meet the above scope.

The following versions are not affected:
 * Minecraft: Bedrock Edition;
 * Minecraft: Java Edition 13w38c and lower versions;
 * Minecraft: Java Edition 1.18.1 Release Candidate 3 and higher versions;
 * BungeeCord servers.

Vanilla Client

 * Minecraft Official Launcher
 * Close the game and restart the launcher. The fixed version will be downloaded automatically.


 * Third-Party Launcher
 * Close the game and update the launcher to the latest version. Please notice whether the changelog mentioned the fixing of the vulnerablity. If not, please fix it according to paragraph.

Mod Loader

 * Fabric
 * Update the Fabric Loader to 0.12.9 or higher versions.


 * Forge
 * For players who's playing 1.18 and higher versions, please update the Forge to 38.0.17 or higher versions.
 * For players who's playing 1.17.7 and lower versions the loader you are using is no longer safe. Please fix the launcher, or follow the paragraph.


 * Other Mod Loader
 * Since most other loaders has been discontinued, they are no longer safe. Please fix the launcher, or follow the paragraph.

Vanilla Server

 * 1.18
 * Stop the server and update to 1.18.1 version. If you can't update it, follow the method for 1.17.


 * 1.17
 * Stop the server and add the following JVM arguments to your startup command line:


 * 1.12~1.16.5
 * Stop the server, download this file to the working directory where your server runs, and add the following JVM arguments to your startup command line:


 * 1.7~1.11.2
 * Stop the server, download this file to the working directory where your server runs, and add the following JVM arguments to your startup command line:

Third-party Server

 * Paper、WaterFall、Velocity、Spigot
 * Urgent updates have been released for each of these servers. Please close the server and update to the latest version.


 * BungeeCord
 * It is not affected and don't need operation.


 * Other Servers
 * Please stop the server, update the server to the latest version. Please notice whether the changelog mentioned the fixing of the vulnerablity. If not, please fix it according to paragraph.

Temporary Defense Method
''This paragraph refers to the article published by Huorong Security: https://www.bilibili.com/read/cv14365632. Notice that this passage is written in Chinese. ''
 * Add the JVM argument if possible:
 * Set the system envionment variable  to.

Links

 * Announcement on the official website: "Important Message: Security vulnerability in Java Edition"
 * Unofficial solution released by Huorong Security: 附修复建议| Apache Log4j 远程代码执行漏洞通告IN CHINESE