Log4J & Minecraft

“Minecraft” and “worst internet vulnerability of the century” are hardly things you would expect to hear in the same sentence. However, everything changed on the 24th November 2021 when it was discovered by a team of Security Researchers at Alibaba.

This vulnerability was widely used by hackers on Minecraft Anarchy servers, exploiting it to cause immense harm. It lay in the exploit allowing hackers to run any code on a victim’s device, opening it up to a host of dangerous attacks. For the non-tech saavy readers, this basically means that hackers were able to install anything they wanted, including viruses. As a consequence, computers were opened up to the Khonsari ransomware; a virus which encrypts all your data and holds it hostage until a ransom is paid. This was definitely not the only malware risk and many Minecraft servers were being shut down temporarily to mitigate the potential of damage being dealt.

The exploit was in fact due to a system used to keep logs named Log4J, provided by Apache, known for web server software. This system is called a library and is a piece of code that anyone can use in their own programs, avoiding them from having to rewrite everything from scratch. As a consequence, the Log4J bug was, and still is, in widespread use, not only in Minecraft but in thousands of other services such as Steam, Twitter and Amazon Web Services, to name but a few.

While the potential for damage dealt was in itself huge, the severity was further exacerbated by the scale of the vulnerability, affecting so many devices, services and programs running on Java, including Minecraft Java edition which just crossed a billion downloads globally. This has undoubtedly made the Log4J exploit one of the worst if not the worst vulnerability of the century.

Fortunately, programmers around the world, including a Mauritian team (Cyberstorm.mu) and myself, were quick to patch the exploit, updating Log4J and the programs running the old and vulnerable version, with 13% of affected code being updated to a safe version within a week of discovering the exploit. However, this vulnerability often extends way below “surface-level” code, as a single program may depend on loads of libraries which in turn have other dependencies, forming a large tree hierarchy in which the bug may lie at any of its levels. This complicates the debugging process and, as a consequence, the Log4J exploit may take years to fully eradicate from all the world’s code.

To conclude, I’ll answer the question you probably had when you started reading this: “Am I at risk from the vulnerability, especially in Minecraft?”. The answer is a somewhat certain “No”. Through extensive patching, many (but unfortunately not all) crucial systems have been fixed due to the ransomware threat and no longer present this vulnerability. This, thankfully, includes Minecraft Java edition, with Bedrock edition not having been affected in the first place.