Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Log4j version after building. #458

Open
Floppaging opened this issue Mar 29, 2024 · 2 comments
Open

Vulnerable Log4j version after building. #458

Floppaging opened this issue Mar 29, 2024 · 2 comments
Labels
question

Comments

@Floppaging
Copy link

In the screenshot you can see that the log.txt file from "ForgeHax-1.16.5-3.3.1\build\reobfJar\log.txt" shows that forgehax is built using a vulnerable Log4j version, namely "log4j-core-2.11.2.jar"

image

Source: "https://logging.apache.org/log4j/2.x/security.html"

What do you guys think about this ? Is the version being old not a problem since Forge has "patched" Log4j on its own on newer versions than 36.2.20 (for 1.16.5) ? I personally updated Log4j to a newer version.
@fr1kin
Copy link
Owner

fr1kin commented Mar 29, 2024

ForgeHax uses whatever version of Log4J Minecraft and Forge use. There is not much I can do about that, hopefully Forge has dealt with the issue. Also there is a java parameter you can add that will disable the cause of the exploit. I forget what it is though.

@marpisco
Copy link

marpisco commented Apr 3, 2024

there is a java parameter you can add that will disable the cause of the exploit.

log4j2.formatMsgNoLookups=true or set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fr1kin @Floppaging @marpisco