Patch up security vulnerbility CVE-2021-44228 (also known as Log4Shell) for minecraft forge 1.7.10 - 1.12.2, by removing JNDI lookup from Interpolator using reflection and replace the default LoggerContextFactory to catch any LoggerContext loaded after this mod. For more specific technical explainations on how I patched it, please refer to the source code instead.
Currently only works for minecraft 1.12 and before. Tested on 1.7.10 and 1.12.2.
Compatibility
If any mod tries to programatically tweak logging configuration, they will fail miserably due to the exhaustive patching. To fix this, healer postpones the patching late enough, until said mods are done with their editing.
As of date, healer has built in support for these mods.
- ForgeEssentials
If you have other mods crashing with log lines like ClassCastException: cannot cast XXXXXXXX to org.apache.logging.log4j.core.impl.Log4jContextFactory
, then you have step on one of these mods.
To fix this, complain at my issue tracker, or add -Dnet.glease.healer.patch_stage=XXXX
to your JVM launch argument, where XXXX can be any of PRELOAD, PREINIT, INIT, POSTINIT
(in time order, with earliest as the first). PREINIT is usually enough to mitigate the problem, POSTINIT should be enough to fix all problem.
To ordinary players
- If your launcher has patched this already, you will not need this mod to patch the vulnerability.
- If you applied mojang's fix, you will not need this mod to patch the vulnerability.
- If you have FoamFix for 1.7, you will not need this mod to patch the vulnerability.
- If you have used other fixing mods, ask their original authors if they can "catch any LoggerContext loaded after their mod", if yes, you will not need this mod. Otherwise, replace that mod with this mod, or use a launcher that does patching for you, e.g. MultiMC.
To modpack makers
- I suggest you to include this mod in your client pack, if it is intended for minecraft 1.7~1.12.2. This will protect your users who is still not aware of this and happen to use a launcher that hasn't patched this.
- If you also distribute a server pack, and it is intended for minecraft 1.7~1.12.2, adding this mod is not necessary if you applied mojang's fix. However, since many people don't use the StartServer.bat (or something alike) that come with your server pack, chances are they will not use mojang's fixed log4j2.xml. Technically you should not distribute an edited minecraft_server-1.7.10.jar, so adding this jar would be the most straightfoward way of ensuring the user getting a fix.
90% of ad revenue goes to creators
Support creators and Modrinth ad-free with Modrinth+