December 9, 2021, a critical security vulnerability called "Log4Shell" affecting the popular Java logging package "log4j2" surfaced. What initially was just thought of as a Minecraft-related issue is actually much worse and affects multiple large services, such as Steam, Apple or Cloudflare. Basically, the half the internet is on fire, and you get to watch it happen.
Luckily, most software has already received a patch. If you're using log4j2 with any version between 2.0 and 2.14.1 update it as soon as possible. You can test if your application is vulnerable using this website. For more in-depth information on this exploit, take a look at this article by Lunasec.
The exploit itself allows for remote code execution. This means that any remote attacker can execute arbitrary code on the victim's device. An attacker thus has access to large parts of the system.
Now that that's out of the way, let's take a look at how Minecraft, a favorite game of mine, is affected by this. By the time the exploit came out, the majority of Minecraft servers and clients were affected. Mojang has already released patches to fix this. Additionally, popular Minecraft server software such as Spigot, Paper or Purple have each received updates as well.
So it's looking all well for the servers and clients, which were updated. What about the other ones, though? A quick search using Shodan, a service which keeps a list of publicly accessible devices connected to the internet, reveals that there are around 163,000 Minecraft servers in total. As it turns out, my own Minecraft server running the modpack SkyFactory 4 was affected until I read about the exploit and hastily updated it.
I took the time to join some servers listed on Shodan. And for the most part they were actually still unpatched and free for anyone to exploit. There is not much I can do about this, though.
The exploit even took down larger servers like Minemen Club:
Even though the first wave of impact is over and major services have addressed this issue, it won't be the last time we hear of Log4Shell. My prediction is that, as with most other exploits of this scale, someone will come around and write software to exploit vulnerable services automatically, eventually building some sort of botnet. Similar to how it happened when EternalBlue was released. Whether it does happen remains to be seen.
