According to https://github.com/advisories/GHSA-7rjr-3q55-vv33, the current workaround for Log4Shell is NOT sufficient.
Note that previous mitigations involving configuration such as to set the system property
log4j2.formatMsgNoLookupstotruedo NOT mitigate this specific vulnerability.
This means that Minecraft is (potentially) still exploitable. Further research is needed if it just so happens to not be, but I recommend an upgrade to Log4J 2.17.1 wherever possible.
(yes, I know this is already reported as MC-245918, but that has been closed as invalid)
PS: Is the Legacy Launcher affected?
Comments 2
Thank you for your report!
We're tracking this issue in MC-245918, so this ticket is being resolved and linked as a duplicate.
That ticket has already been resolved as invalid. Please take a look at the parent ticket (MC-245918) and see if an explanation is provided there in the description of the ticket or in the comments for why this issue is invalid.
If you haven't already, you might like to make use of the search feature to see if the issue has already been mentioned.
Quick Links:
📓 Bug Tracker Guidelines – 💬 Community Support – 📧 Mojang Support
📓 Project Summary – ✍️ Feedback and Suggestions – 📖 Game Wiki
-- I am a bot. This action was performed automatically! The ticket was resolved by one of our moderators, and I left this message to give more information to you.
The link is dead, and I don't think this is a Minecraft issue, a Log4J issue.
But, perhaps a second layer of prevention can be added into Minecraft.