Mod
Log4J2 JNDI Exploit Fix
No reviews yet
This mod fixes a critical vulnerability in Log4J2 in conjunction with JNDI.
Community voices
Reviews
Click once to include, again to exclude, again to clear
No reviews yet. Be the first to review this project!
Get it on
Available Platforms
For authors
Embed Badge
If you're the author of this project, you can embed a live badge anywhere that supports HTML or Markdown. It updates automatically whenever ratings change.
Use HTML for any page that supports it, or Markdown for README files and Markdown-based descriptions.
Identifiers
Platform IDs
Resources
External Links
About
Description
This is a tiny client and server, Fabric and Forge mod to fix the Log4J2 exploit that surfaced 2021-12-10 and may lead to crashes, stalls or remote code execution in some cases.
Instead of using this mod you should update your mod loader to the following versions, if possible:
- Fabric Loader 0.12.12+ for all MC versions
- Forge 1.18.1-39.0.0+ for MC 1.18.1
- Forge 1.18-38.0.17+ for MC 1.18
- Forge 1.17.1-37.1.1+ for MC 1.17.1
- Forge 1.16.5-36.2.20+ for MC 1.16.5
- Forge 1.15.2-31.2.56+ for MC 1.15.2
- Forge 1.14.4-28.2.25+ for MC 1.14.4
- Forge 1.13.2-25.0.222+ for MC 1.13.2
- Forge 1.12.2-14.23.5.2857+ for MC 1.12.2
If your want to play Minecraft versions between 1.7 and 1.18 that are not in this list or you want to use mods that are incompatible with the updated mod loader versions, the Log4J2 JNDI Exploit Fix mod is a decent option.
This mod works by removing a highly problematic log content remote lookup feature, which is not used otherwise. If unmitigated anyone can draft a malicious chat or disconnect message, use mis-framed packets or other forms of activity that involves generating user controlled log output to exploit the bug. Since both client and server log, they are equally at risk.
Minecraft, CurseForge and Fabric Loader mitigated the problem in their launcher, but servers and some old versions remain vulnerable at the time of writing.
Likely fixed by their platform are currently and thus don't need the mod:
- Vanilla client
- Updated Fabric client or server (Fabric Loader 0.12.12+)
- Updated Forge 1.12+ client and server
- 1.18.1-rc3+ client and server
- Any client and server manually mitigated as per https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
Likely vulnerable are currently and thus need the mod:
- Unmitigated Vanilla server older than 1.18.1-rc3
- Outdated Fabric or Forge server
- Outdated Fabric or Forge client
- Forge client or server older than 1.12
Incompatible with the mod:
- Forge 1.17+ due to its module encapsulation - use the Java/JVM argument -Dlog4j2.formatMsgNoLookups=true instead (only works for 1.17+!)
- Fabric with Loader 0.12.10+ as it comes with a similar fix, use Fabric Loader 0.12.12 instead of this mod
There should be no harm in using the mod even if it is not necessary outside the above incompatibilities. It does a small one time operation at startup to remove the superfluous but exploitable JNDI lookup mechanism.
There is no guarantee that the mod definitely fixes the exploit, but it acts on a fundamental level. It does not prevent exploiting messages from traversing the server to other clients.
Screenshots
Gallery
Versions
Files
Relations
Project Relations
More like this
Similar Mods
Suggestions use data such as tags, dependencies, dependents, descriptions, titles, and more to rank how much they overlap with this mod.
On ModDex
Community snapshot
By the numbers
Statistics
Want to reach Minecraft players?
We're looking for a server hosting partner to feature here and other parts of the site. Interested? Send us a message!
Get in touchGet it on
Available Platforms
On ModDex
Community snapshot
By the numbers
Statistics
Resources