Healer

Healer

Mod

Patch up CVE-2021-44228 for minecraft forge 1.7.10 - 1.12.2

Client or server
6,221 downloads
12 followers
Created2 years ago
Updateda year ago
Follow Save
Host your Minecraft server on BisectHosting - get 25% off your first month with code MODRINTH.
Ad via Adrinth

Patch up security vulnerbility CVE-2021-44228 (also known as Log4Shell) for minecraft forge 1.7.10 - 1.12.2, by removing JNDI lookup from Interpolator using reflection and replace the default LoggerContextFactory to catch any LoggerContext loaded after this mod. For more specific technical explainations on how I patched it, please refer to the source code instead.

Currently only works for minecraft 1.12 and before. Tested on 1.7.10 and 1.12.2.

Compatibility

If any mod tries to programatically tweak logging configuration, they will fail miserably due to the exhaustive patching. To fix this, healer postpones the patching late enough, until said mods are done with their editing.

As of date, healer has built in support for these mods.

  • ForgeEssentials

If you have other mods crashing with log lines like ClassCastException: cannot cast XXXXXXXX to org.apache.logging.log4j.core.impl.Log4jContextFactory, then you have step on one of these mods.

To fix this, complain at my issue tracker, or add -Dnet.glease.healer.patch_stage=XXXX to your JVM launch argument, where XXXX can be any of PRELOAD, PREINIT, INIT, POSTINIT (in time order, with earliest as the first). PREINIT is usually enough to mitigate the problem, POSTINIT should be enough to fix all problem.

To ordinary players

  1. If your launcher has patched this already, you will not need this mod to patch the vulnerability.
  2. If you applied mojang's fix, you will not need this mod to patch the vulnerability.
  3. If you have FoamFix for 1.7, you will not need this mod to patch the vulnerability.
  4. If you have used other fixing mods, ask their original authors if they can "catch any LoggerContext loaded after their mod", if yes, you will not need this mod. Otherwise, replace that mod with this mod, or use a launcher that does patching for you, e.g. MultiMC.

To modpack makers

  1. I suggest you to include this mod in your client pack, if it is intended for minecraft 1.7~1.12.2. This will protect your users who is still not aware of this and happen to use a launcher that hasn't patched this.
  2. If you also distribute a server pack, and it is intended for minecraft 1.7~1.12.2, adding this mod is not necessary if you applied mojang's fix. However, since many people don't use the StartServer.bat (or something alike) that come with your server pack, chances are they will not use mojang's fixed log4j2.xml. Technically you should not distribute an edited minecraft_server-1.7.10.jar, so adding this jar would be the most straightfoward way of ensuring the user getting a fix.

External resources

IssuesSource

Featured versions

See all
1.2.1
Forge 1.7.2–1.12.2
Release

Project members

glease

Owner

Technical information

License
MIT
Client side
optional
Server side
optional
Project ID