Log4Shell RCE exploit: Update the launcher to the latest version 2.2.0 when possible #52
Comments
|
Mojang has made the following changes to logging configurations: <!-- client-1.7.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
<Appenders>
<Console name="SysOut" target="SYSTEM_OUT">
<XMLLayout />
</Console>
<RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
<Policies>
<TimeBasedTriggeringPolicy />
<OnStartupTriggeringPolicy />
</Policies>
</RollingRandomAccessFile>
</Appenders>
<Loggers>
<Root level="info">
<filters>
<MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
<!-- ADDED BEGIN -->
<RegexFilter regex=".*\$\{[^}]*\}.*" onMatch="DENY" onMismatch="NEUTRAL"/>
<!-- ADDED END -->
</filters>
<AppenderRef ref="SysOut"/>
<AppenderRef ref="File"/>
</Root>
</Loggers>
</Configuration><!-- client-1.12.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
<Appenders>
<Console name="SysOut" target="SYSTEM_OUT">
<LegacyXMLLayout />
</Console>
<RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
<!-- BEFORE: <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" /> -->
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg{nolookups}%n" />
<Policies>
<TimeBasedTriggeringPolicy />
<OnStartupTriggeringPolicy />
</Policies>
</RollingRandomAccessFile>
</Appenders>
<Loggers>
<Root level="info">
<filters>
<MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
</filters>
<AppenderRef ref="SysOut"/>
<AppenderRef ref="File"/>
</Root>
</Loggers>
</Configuration> |
mindstorm38
changed the title
mindstorm38
added
documentation
|
After checking, PMC special log configuration is not update, CLI is critically affected by this exploit, API is not. |
mindstorm38
added
bug
mindstorm38
changed the title
mindstorm38
changed the title
mindstorm38
changed the title
|
It's quite hard to fix, because the launcher currently ignore update of the "time" from the version manifest. |
|
I'm a little embarrassed, it takes more work than I expected, as I had never considered the case of a critical change in the existing version metadata. This might introduce an argument |
|
Maybe download that data whenever something needs it and you can add someting like --offline later. |
|
I thought of this |
… If-Modified-Since header to only download the file when it's needed. A custom timeout can be set for the request, the special value 0 means that the manifest will fail to load if not found locally (with a new error VersionManifestError). The API of 'json_request' has also been updated to take an optional dictionary argument 'rcv_headers' that can used to get received headers. This modification is related to #52.
|
Almost ready to release! The last thing to implement is the timeout argument. This is more an improvement to the API than a particular fix for the exploit, the launcher is now able to install newer official metadata when needed. If Mojang implement another fixes in the future, they should be downloaded automatically. |
mindstorm38
changed the title
|
This issue is important, but it is referenced in the README, so I'm closing it. |
mindstorm38
added
documentation
Temporary fix:
Delete directory
<main_dir>/assets/log_configsAND your version directory if you already have a copy of it under<main_dir>/versions. Usually,<main_dir>is your.minecraftif you don't use--main-dirargument.https://twitter.com/slicedlime/status/1469150993527017483?t=17nPyfxTXExSTF1zsLwK9w&s=19
A release should be available soon to fix this issue, all versions will get a flag added if it's not already.
The text was updated successfully, but these errors were encountered: