Discussion Log4J Breach

[HyperBlown]

As you guys may or not know already, the often used "Log4j" Library has been compromised and I Strongly recommend your devs or yourself to take immediate action into updating this library or using something else.
If you dont know what to do, and you are more than sure that you are using this library, you can simply disable any logging that an user has "direct" access to it. For example Chat log, since players can talk whatever they want and it will be processed by the log4j engine.

For more info read it here:
https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/

https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/

 

https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j

Edited December 13, 2021 by HyperBlown

[Tryskell]

L2J team is aware of that issue since 3 days.

 

About aCis, we never used that library no matter the revision, but I'm aware some forks of my project migrated to it.

 

You can solve the exploit updating log4j lib ASAP to the version 2.15.x and superior.

 

Added to @HyperBlown links, more infos here : https://nakedsecurity.sophos.com/2021/12/13/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it/

 

PS : that library is used everywhere, so consider to review your whole server if you own and run multiple services holding Java projects.