Urgent: Upgrade your Minecraft Servers
Minecraft servers before version 1.18.1 are vulnerable to a Remote Code Execution attack. You must upgrade immediately.
- If you deploy a new Minecraft server at Rcs, you are protected. Rcs's Minecraft server image has been upgraded to version 1.18.1, which is safeguarded against the exploit.
- If your server is version 1.18 or earlier, you must upgrade. Please use these instructions.
How to Patch your Minecraft Server
Connect to your server with SSH as root.
Create
fix_minecraft.sh
in your text editor.# nano ~/fix_minecraft.sh
Paste the following script:
#!/bin/bash echo "Rcs Minecraft Log4j RCE Patcher - v1.0" if ! [ -z "$(grep "Dlog4j.configurationFile=log4j2.xml" /home/minecraft/minecraft_server.sh)" ]; then echo "Already patched!" exit 0 fi echo "Grabbing version!" VERSION="$(cat minecraft_server_version)" VERSION_MAJOR="$(echo ${VERSION} | awk -F'.' '{print $1}')" VERSION_MINOR="$(echo ${VERSION} | awk -F'.' '{print $2}')" echo "Found Version: ${VERSION}" if [ "${VERSION_MAJOR}" == "1" ] && [ "${VERSION_MINOR}" -lt "12" ]; then echo "Found OLD Version: ${VERSION}, using pre 1.12 xml fix!" URL="https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml" fi URL="https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml" if [ "${VERSION}" == "1.18.1" ] || [ "${VERSION_MINOR}" -gt "18" ]; then echo "Found NEW Version: ${VERSION}, no patch needed!" exit 0 fi echo "Downloading: ${URL}" curl -Ls "${URL}" > /home/minecraft/log4j2.xml echo "Patching: /home/minecraft/minecraft_server.sh" sed -i -e 's/java -Xmx/java -Dlog4j.configurationFile=log4j2.xml -Xmx/g' /home/minecraft/minecraft_server.sh
Type Ctrl+X, and then Y to save and exit.
Make the script executable.
# chmod u+x ~/fix_minecraft.sh
Run the script.
# bash ~/fix_minecraft.sh
As a precaution, please reboot your server.
More Information
There is a new zero-day exploit for the Log4J2 library used by Minecraft. This exploit allows unsophisticated attackers to take over your server remotely. The vulnerability has been reported with CVE-2021-44228 against the log4j-core
jar and is fixed in Log4J v2.15.0.
To protect our network, Rcs may shut down vulnerable Minecraft servers. Please upgrade immediately.