-
-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log4Shell RCE exploit: Update the launcher to the latest version 2.2.0 when possible #52
Comments
Mojang has made the following changes to logging configurations: <!-- client-1.7.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
<Appenders>
<Console name="SysOut" target="SYSTEM_OUT">
<XMLLayout />
</Console>
<RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
<Policies>
<TimeBasedTriggeringPolicy />
<OnStartupTriggeringPolicy />
</Policies>
</RollingRandomAccessFile>
</Appenders>
<Loggers>
<Root level="info">
<filters>
<MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
<!-- ADDED BEGIN -->
<RegexFilter regex=".*\$\{[^}]*\}.*" onMatch="DENY" onMismatch="NEUTRAL"/>
<!-- ADDED END -->
</filters>
<AppenderRef ref="SysOut"/>
<AppenderRef ref="File"/>
</Root>
</Loggers>
</Configuration> <!-- client-1.12.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
<Appenders>
<Console name="SysOut" target="SYSTEM_OUT">
<LegacyXMLLayout />
</Console>
<RollingRandomAccessFile name="File" fileName="logs/latest.log" filePattern="logs/%d{yyyy-MM-dd}-%i.log.gz">
<!-- BEFORE: <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" /> -->
<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg{nolookups}%n" />
<Policies>
<TimeBasedTriggeringPolicy />
<OnStartupTriggeringPolicy />
</Policies>
</RollingRandomAccessFile>
</Appenders>
<Loggers>
<Root level="info">
<filters>
<MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
</filters>
<AppenderRef ref="SysOut"/>
<AppenderRef ref="File"/>
</Root>
</Loggers>
</Configuration> |
After checking, PMC special log configuration is not update, CLI is critically affected by this exploit, API is not. |
It's quite hard to fix, because the launcher currently ignore update of the "time" from the version manifest. |
I'm a little embarrassed, it takes more work than I expected, as I had never considered the case of a critical change in the existing version metadata. This might introduce an argument |
Maybe download that data whenever something needs it and you can add someting like --offline later. |
I thought of this |
… If-Modified-Since header to only download the file when it's needed. A custom timeout can be set for the request, the special value 0 means that the manifest will fail to load if not found locally (with a new error VersionManifestError). The API of 'json_request' has also been updated to take an optional dictionary argument 'rcv_headers' that can used to get received headers. This modification is related to #52.
Almost ready to release! The last thing to implement is the timeout argument. This is more an improvement to the API than a particular fix for the exploit, the launcher is now able to install newer official metadata when needed. If Mojang implement another fixes in the future, they should be downloaded automatically. |
This issue is important, but it is referenced in the README, so I'm closing it. |
Temporary fix:
Delete directory
<main_dir>/assets/log_configs
AND your version directory if you already have a copy of it under<main_dir>/versions
. Usually,<main_dir>
is your.minecraft
if you don't use--main-dir
argument.https://twitter.com/slicedlime/status/1469150993527017483?t=17nPyfxTXExSTF1zsLwK9w&s=19
A release should be available soon to fix this issue, all versions will get a flag added if it's not already.
The text was updated successfully, but these errors were encountered: