The log4j vulnerability has been fixed in the latest build of the launcher (707). Just restart it and you'll be updated automatically.
It's incredibly important that you get this update. With this update you'll be safe again.
So what did we do? Well, it depends on the MC version.
- log4j 2.0-beta9 gets replaced with a patched version (2.0-beta9-fixed) (MC >= 1.7 < 1.12)
- Any other log4j version gets upgraded to 2.15.0, the one that isn't vulnerable (MC >= 1.12)
- -Dlog4j2.formatMsgNoLookups=true flag was removed, since it wasn't needed anymore
If you run the ${date:YYYY}
test on this, you'll get the 2021
text. However, if you try the actual vulnerability (the JNDI one), it won't be parsed.
Thanks for the patience and have fun!
Comments