Jump to content

Forge needs to update to using Log4j 16.0 instead of 15.0. Forge might still be vulnerable


Yaga

Recommended Posts

Forge updated to using Log4j 15.0 after the recent security exploits. however since then, its been discovered its still possible to steal data from your computer with that version of log4j.
From the cyber security company Praetorian:
https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/

""The Apache Software Foundation announced a new vulnerability in Log4j – CVE-2021-45046 – on December 14th. The vulnerability as described states that Log4j 2.15.0 can allow a local Denial of Service attack, but that impacts are limited. However, in our research we have demonstrated that 2.15.0 can still allow for exfiltration of sensitive data in certain circumstances. We have passed technical details of the issue to the Apache Foundation, but in the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible.”"

As you can see in this tweet, Forge updated to 2.15.0 which is still vulnerable, but did not update to 2.16.0 as of yet:

Link to comment
Share on other sites

The Praetorian article was about a recent workaround that was discovered which still allows exfiltration of data in Log4j 15.0.
Remote code execution is no longer possible. I want to make absolutely sure that Forge also addressed this newer workaround 

I'm not a cyber-security expert but I take what I read from Praetorian seriously. they recommended updating to log4j 16.0.
Did forge also address this newer exfiltration of data exploit? 

Edited by Yaga
fixing a typo
Link to comment
Share on other sites

32 minutes ago, diesieben07 said:

This is correct as far as I know. As such no action is needed.

Alright. thanks for letting me know
Still it wouldn't harm to update to Log4j 16.0 as recommended by cyber security experts at Praetorian

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Announcements



  • Recently Browsing

    • No registered users viewing this page.
  • Posts

    • Sometimes, tweaking load order or specific configs can also help ease those conflicts.
    • I have recently tired downloading forge so i can run mods for hypixel skyblock but whenever i download forge and do it the same way as videos and tutorials forge keeps downloading as log file and doesnt download the .jar file any help will be aprecciated.
    • So I have created a Create Mod Server with my friends and i to play everyone can join play except one of my friends because when he tries to launch the game from the CurseForge Launcher it will load but never open or give him a crash report, we have tried everything from deleting CF and reinstalling it to Updating his drivers, IDK what to do if anyone can help I would be very Grateful
    • I get this error when trying to start the server for forged mods. In the code below it mentions distant horizons but no matter what mod I put in (deleting distant horizons) it still gives an error and doesn't launch Crash Report UUID: 3e91d5c7-18a7-43c2-a935-a8d28de560d1 FML: 47.3 Forge: net.minecraftforge:47.3.10[23:33:47] [main/ERROR] [minecraft/Main]: Failed to start the minecraft server net.minecraftforge.fml.LoadingFailedException: Loading errors encountered: [    Distant Horizons (distanthorizons) encountered an error during the sided_setup event phase§7java.lang.ExceptionInInitializerError: null]     at net.minecraftforge.fml.ModLoader.waitForTransition(ModLoader.java:246) ~[fmlcore-1.20.1-47.3.10.jar%23104!/:?] {}     at net.minecraftforge.fml.ModLoader.lambda$dispatchAndHandleError$20(ModLoader.java:210) ~[fmlcore-1.20.1-47.3.10.jar%23104!/:?] {}     at java.util.Optional.ifPresent(Optional.java:178) ~[?:?] {}     at net.minecraftforge.fml.ModLoader.dispatchAndHandleError(ModLoader.java:210) ~[fmlcore-1.20.1-47.3.10.jar%23104!/:?] {}     at net.minecraftforge.fml.ModLoader.lambda$loadMods$15(ModLoader.java:190) ~[fmlcore-1.20.1-47.3.10.jar%23104!/:?] {}     at java.lang.Iterable.forEach(Iterable.java:75) ~[?:?] {}     at net.minecraftforge.fml.ModLoader.loadMods(ModLoader.java:190) ~[fmlcore-1.20.1-47.3.10.jar%23104!/:?] {}     at net.minecraft.server.loading.ServerModLoader.load(ServerModLoader.java:31) ~[forge-1.20.1-47.3.10-universal.jar%23108!/:?] {re:classloading}     at net.minecraft.server.Main.main(Main.java:125) ~[server-1.20.1-20230612.114412-srg.jar%23103!/:?] {re:classloading}     at jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) ~[?:?] {}     at java.lang.reflect.Method.invoke(Method.java:580) ~[?:?] {}     at net.minecraftforge.fml.loading.targets.CommonLaunchHandler.runTarget(CommonLaunchHandler.java:111) ~[fmlloader-1.20.1-47.3.10.jar%2369!/:?] {}     at net.minecraftforge.fml.loading.targets.CommonLaunchHandler.lambda$run$1(CommonLaunchHandler.java:103) ~[fmlloader-1.20.1-47.3.10.jar%2369!/:?] {}     at net.minecraftforge.fml.loading.targets.CommonServerLaunchHandler.lambda$makeService$0(CommonServerLaunchHandler.java:27) ~[fmlloader-1.20.1-47.3.10.jar%2369!/:?] {}     at cpw.mods.modlauncher.LaunchServiceHandlerDecorator.launch(LaunchServiceHandlerDecorator.java:30) ~[modlauncher-10.0.9.jar%2355!/:?] {}     at cpw.mods.modlauncher.LaunchServiceHandler.launch(LaunchServiceHandler.java:53) ~[modlauncher-10.0.9.jar%2355!/:?] {}     at cpw.mods.modlauncher.LaunchServiceHandler.launch(LaunchServiceHandler.java:71) ~[modlauncher-10.0.9.jar%2355!/:?] {}     at cpw.mods.modlauncher.Launcher.run(Launcher.java:108) ~[modlauncher-10.0.9.jar%2355!/:?] {}     at cpw.mods.modlauncher.Launcher.main(Launcher.java:78) ~[modlauncher-10.0.9.jar%2355!/:?] {}     at cpw.mods.bootstraplauncher.BootstrapLauncher.main(BootstrapLauncher.java:141) ~[bootstraplauncher-1.1.2.jar:?] {}  
    • This error keeps coming up after player tries to join server, doesn't happen to anyone else.  Error: Internal Exception: io.netty.handler.codec.DecoderException: java.lang.ArrayIndexOutOfBoundsException: Index 17196645 out of bounds for length 13 Heres the latest.log https://pastebin.com/uaw3KC0K  Heres the debug.log https://drive.google.com/file/d/1QzqtCMUf7ps1Iz85AOsMM7W8QhbHjBeU/view?usp=sharing
  • Topics

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.