Skip to content

默认情况下禁止 Minecraft 日志记录中使用 Message Pattern Lookup#1209

Merged
huanghongxun merged 1 commit into
HMCL-dev:javafxfrom
Glavo:log4j2
Dec 10, 2021
Merged

默认情况下禁止 Minecraft 日志记录中使用 Message Pattern Lookup#1209
huanghongxun merged 1 commit into
HMCL-dev:javafxfrom
Glavo:log4j2

Conversation

@Glavo

@Glavo Glavo commented Dec 9, 2021

Copy link
Copy Markdown
Member

Log4j2 被爆出严重的 RCE 漏洞,至目前为止所有版本都存在该漏洞。对于 Minecraft 服务器来说,任何成员只需要向服务器发送带有特定内容的字符串,即可控制服务器执行攻击者想要的命令。(修复见 apache/logging-log4j2#608

由于 Minecraft 客户端允许在网络上共享世界,充当服务器的角色,此时也可能遭受类似的攻击。

该攻击是基于 Log4j2 中的 Message Pattern Lookup 功能,Minecraft 中似乎没有使用该功能,默认禁用它可以避免玩家在使用客户端开服时遭受对应攻击。

@Glavo Glavo marked this pull request as draft December 10, 2021 04:18
@Glavo

Glavo commented Dec 10, 2021

Copy link
Copy Markdown
Member Author

Forge 似乎在使用这个功能,需要考虑更保守的策略。

@huanghongxun huanghongxun marked this pull request as ready for review December 10, 2021 06:19
@huanghongxun huanghongxun merged commit c31269a into HMCL-dev:javafx Dec 10, 2021
@Glavo Glavo deleted the log4j2 branch December 11, 2021 04:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants