Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

msm 0.10.0 appears to use insecure log4j 2.14.1 #437

Closed
rrimc69 opened this issue Dec 11, 2021 · 2 comments
Closed

msm 0.10.0 appears to use insecure log4j 2.14.1 #437

rrimc69 opened this issue Dec 11, 2021 · 2 comments

Comments

@rrimc69
Copy link

rrimc69 commented Dec 11, 2021

MSM is Vulnerable to log4shell exploit, see page at following link for CVE details regards log4j vunlerability :
https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell

MSM on my box is fully up to date and appears to be using a compromised version of log4j (2.14.1). Please consider updating this component with the latested patched version from Apache 2.15.0 if possible.

[root@mybox msm]# msm version
Minecraft Server Manager 0.10.0 Beta
[root@mybox msm]# find . | egrep log4j
./servers/TestServer/libraries/org/apache/logging/log4j
./servers/TestServer/libraries/org/apache/logging/log4j/log4j-slf4j18-impl
./servers/TestServer/libraries/org/apache/logging/log4j/log4j-slf4j18-impl/2.14.1
./servers/TestServer/libraries/org/apache/logging/log4j/log4j-slf4j18-impl/2.14.1/log4j-slf4j18-impl-2.14.1.jar
./servers/TestServer/libraries/org/apache/logging/log4j/log4j-api
./servers/TestServer/libraries/org/apache/logging/log4j/log4j-api/2.14.1
./servers/TestServer/libraries/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar
./servers/TestServer/libraries/org/apache/logging/log4j/log4j-core
./servers/TestServer/libraries/org/apache/logging/log4j/log4j-core/2.14.1
./servers/TestServer/libraries/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar
./libraries/org/apache/logging/log4j
./libraries/org/apache/logging/log4j/log4j-slf4j18-impl
./libraries/org/apache/logging/log4j/log4j-slf4j18-impl/2.14.1
./libraries/org/apache/logging/log4j/log4j-slf4j18-impl/2.14.1/log4j-slf4j18-impl-2.14.1.jar
./libraries/org/apache/logging/log4j/log4j-api
./libraries/org/apache/logging/log4j/log4j-api/2.14.1
./libraries/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar
./libraries/org/apache/logging/log4j/log4j-core
./libraries/org/apache/logging/log4j/log4j-core/2.14.1
./libraries/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar
[root@mybox msm]#

@M-D-M
Copy link
Collaborator

M-D-M commented Dec 11, 2021

I do not believe those files are part of a normal msm install -- I just checked our source, as well as an msm install I have, and did not find any "log4j" filenames. (I do not believe an Apache web server would be part of a normal msm install, anyway.)

@rrimc69
Copy link
Author

rrimc69 commented Dec 12, 2021

Built vanilla vm with msm installed, and confirms msm does not use log4j directly. My apologies, Minecraft it's self does use log4j, however it may be some other past activity spills that directory out to /opt/msm.

@rrimc69 rrimc69 closed this as completed Dec 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants