Log4j vulnerability - Information about the security of your servers

Hello everyone,

For a few days now, a vulnerability affecting the Java library named « log4j » has been found allowing the execution of (potentially malicious) code remotely (also known as RCE). Since this library is used by Minecraft, this exploit could impact both your server and your game client.

Although we have done security checks beforehand to ensure the safety of all our clients, we advise you to update your servers as soon as possible to avoid any problems.

Here is a non-exhaustive list of those that have already deployed a patch to fix this vulnerability:

  • Paper

Paper 1.18 #66 or higher
Paper 1.17 #399 or higher
Paper 1.16.5 #792 or higher
(legacy versions won’t be patched)

  • Spigot/CraftBukkit

Lastest builds from 1.8.8 to 1.18.1

  • Forge

1.18-38.0.17
1.17.1-37.1.1
1.16.5-36.2.20
1.15.2-31.2.56
1.14.4-28.2.25
1.13.2-25.0.222
1.12.2-14.23.5.2857
(older versions won’t be patched)

  • Classic

1.18.1 only.
The solutions proposed by Mojang for earlier versions cannot be implemented on our machines for technical reasons. We generally advise using more sophisticated server software like Paper.

  • Mohist/Magma

Lastest builds for both 1.12.2 and 1.16.5

BungeeCord is not affected by this vulnerability.

All of these versions are already available in 1-click install on your panel, so no excuse not to update your server! :slight_smile:

For people using openmod and specific JARs, please ask directly to the developers.

Although we strongly recommend upgrading your server, customers for whom this would not be possible can still install the « Log4JExploit-Fix » plugin via the plugin installer from their panel.

We remain at your disposal on discord or ticket for any further information! :slight_smile:

Have a good game and update your servers!
BoxToPlay staff.