bump Log4j version to >2.17

[JasonBuckner]

Role

I play vanilla & modded Minecraft on servers.

Suggestion

address this Apache Log4j Security Vulnerability

Benefit

Apache Log4j Security Vulnerabilities are frowny face emoji and I'd like to be able to Minecraft again.

This suggestion is unique

• I have searched the issue tracker and did not find an issue describing my suggestion, especially not one that has been rejected.

You may use the editor below to elaborate further.

CVE-2021-44832 is a lovely vulnerability that impacts all versions of Log4j from 2.0-beta7 to 2.17.0, excluding 2.3.2 and 2.12.4.
See also #4349.

Personally, I'm running Java 8 (for REASONS) and am stuck with version 2.0-beta9-fixed of Log4j.

[phit]

all versions you get in multimc are patched already

[phit]

https://multimc.org/posts/log4j-remote-execution.html

[JasonBuckner]

Thanks for the speedy reply!
My mistake. Wrong link. I intended to use this one: Apache Log4j Security Vulnerabilities
That page was last updated (with a new vulnerability) on 2022-09-13.

It's my understanding that the version recommended in the article that @phit linked, and the one that I'm using (2.0-beta9-fixed), is still vulnerable (or perhaps has recently been discovered to be vulnerable).

Is that not the case?

[phit]

I don't see a new CVE on that page? The Jndi Lookup has been completely removed in the fixed version so unless there's a new class of vulnerabilities found, it should not affect us.

[JasonBuckner]

Arctic Wolf is complaining about CVE-2021-44228... so, I donno.

[phit]

yeah that's old and patched

[JasonBuckner]

Sorry to be a pest, but just to verify... this output from Arctic Wolf Log4Shell Deep Scan is nothing to worry about, right?

Result: FAIL
The following Java applications contain Log4j JndiLookup, do not appear to have
been updated to Log4J 2.16+ or Log4J 2.12.2+, and are likely subject to
Log4Shell (CVE-2021-44228, CVE-2021-45046).

• C:...\MultiMC\libraries\com\mojang\netty\1.8.8\netty-1.8.8.jar
• C:...\MultiMC\libraries\com\mojang\patchy\1.3.9\patchy-1.3.9.jar
• C:...\MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9\log4j-core-2.0-beta9.jar
• C:...\MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9-fixed\log4j-core-2.0-beta9-fixed.jar
• C:...\MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.11.2\log4j-core-2.11.2.jar
• C:...\MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.8.1\log4j-core-2.8.1.jar

For remediation steps, contact the vendor of each affected application.

[phit]

right, though this one MultiMC\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9\log4j-core-2.0-beta9.jar can be deleted, nothing should be using it anymore

[StripedTailz]

I'm looking for "log4j-core-2.0-beta9-fixed.jar" as my minecraft launcher cannot download from this link "https://intent.store/resources/org/apache/logging/log4j/log4j-core/2.0-beta9/log4j-core-2.0-beta9-fixed.jar"
does anyone have this file?

[phit]

https://files.multimc.org/maven/org/apache/logging/log4j/log4j-api/2.0-beta9-fixed/log4j-api-2.0-beta9-fixed.jar