Spigot Security Releases — 1.8.8–1.18

Discussion in 'News and Announcements' started by md_5, Dec 9, 2021.

Thread Status:
Not open for further replies.
  1. md_5

    Administrator Developer

    tl;dr update your server by repeating the steps you used to install it.

    Hi All

    We have just pushed some out of schedule security releases for Spigot. These releases work around a security issue in log4j2, the logging library used by Minecraft. BungeeCord is unaffected.

    The following versions have been patched:
    • 1.8.8 (BuildTools rev 582-a)
    • 1.9.4 (BuildTools rev 849-a)
    • 1.10.2 (BuildTools rev 986-a)
    • 1.11.2 (BuildTools rev 1251-a)
    • 1.12.2 (BuildTools rev 1573-k)
    • 1.13.2 (BuildTools rev 2148-d)
    • 1.14.4 (BuildTools rev 2502-c)
    • 1.15.2 (BuildTools rev 2703-a)
    • 1.16.5 (BuildTools rev 3096-a)
    • 1.17.1 (BuildTools rev 3284-a)
    • 1.18 (all versions after 10 December)
    • 1.18.1 (all versions)
    You can obtain a patched server jar by re-running BuildTools with the appropriate revision, eg, java -jar BuildTools.jar --rev 1.12.2.

    If you are using < 1.17.1 and a custom log4j2.xml, for example by modifying the server jar or using the -Dlog4j.configurationFile= Java argument, you will need to replace all occurrences of %msg with %msg{nolookups}.

    It is also highly recommended you update your Java to the latest build of the relevant version. This is always good practice.

    We are not currently aware of the exploit having any possible permanent effects on your server if you are/were running an up to date version of Java (any version from the last ~ 3 years, including Java 8 updates released within that timeframe).

    Please check this thread regularly for any further updates.
     
    #1 md_5, Dec 9, 2021
    Last edited: Dec 14, 2021
    • Like x 85
    • Winner x 12
    • Friendly x 11
    • Informative x 7
    • Funny x 3
    • Agree x 2
    • Optimistic x 2
    • Useful x 1
  2. md_5

    Administrator Developer

    Please redownload the versions for 1.8.8-1.11.2, they were not properly patched initially.
     
    • Like x 20
    • Friendly x 6
    • Funny x 2
    • Useful x 2
    • Agree x 1
    • Winner x 1
    • Informative x 1
  3. md_5

    Administrator Developer

    #3 md_5, Dec 10, 2021
    Last edited: Dec 10, 2021
    • Like Like x 18
    • Agree Agree x 1
    • Friendly Friendly x 1
  4. md_5

    Administrator Developer

    We are aware of another Log4j security advisory issued overnight. This advisory covers a very limited set of circumstances.

    There is no impact to Vanilla Minecraft or Spigot as they do not use the affected feature.
     
    • Like Like x 7
    • Informative Informative x 7
    • Friendly Friendly x 1
Thread Status:
Not open for further replies.