Minecraft is meant for kicking back, exploring Lush Caves, and coming up with stunning recreations of your favourite things, but it’s pretty hard to relax knowing your server and gaming PC are at risk from an exploit. Fortunately, developer Mojang is on top of things and has already fixed the bug in its latest 1.18.1 update, but those of you that run an older version will need to follow a couple of steps before you’re completely secure.
The vulnerability is tied to Log4j, an open-source logging tool that has a wide reach being built into many frameworks and third-party applications across the internet. As a result, Minecraft Java Edition is the first known program affected by the exploit, but undoubtedly won’t be the last – Bedrock users, however, are safe.
If the owners of your favourite server haven’t given the all-clear, it might be wise to stay away for the time being. High-profile servers are the main targets, but there are reports that several attackers are scanning the internet for vulnerable servers, so there could very well be a bullseye on your back if you chance it.
Fixing the issue with the game client is easy: simply close all instances and relaunch it to prompt the update to 1.18.1. Modded clients and third-party launchers might not automatically update, in which case you’ll need to seek guidance from server moderators to ensure you’re safe to play.
Versions below 1.7 are not affected and the simplest way for server owners to protect players is to upgrade to 1.18.1. If you’re adamant on sticking to your current version, however, there is a manual fix you can lean on.
How to fix Minecraft Java Edition server vulnerability
- Open the ‘installations’ tab from within your launcher
- Click the ellipses (…) on your chosen installation
- Navigate to ‘edit’
- Choose ‘more options’
- Add the following JVM arguments to your startup command line:
- 1.17 – 1.18: -Dlog4j2.formatMsgNoLookups=true
- 1.12 – 1.16.5: Download this file to the working directory where your server runs. Then add -Dlog4j.configurationFile=log4j2_112-116.xml
- 1.7 – 1.11.2: Download this file to the working directory where your server runs. Then add -Dlog4j.configurationFile=log4j2_17-111.xml
ProPrivacy expert Andreas Theodorou tells us that while the “exploit is hard to replicate and it’ll likely impact anarchy servers like 2B2T more than most, this is a clear example of the necessity to stay on top of updates for less technical and vanilla game users.” After all, it’s always better to be safe than sorry.