Log4shell vulnerability in log4j2

Thought it was worth mentioning this as we are a group of extensive java users and this is a huge vulnerability. I’ve checked jMonkey itself and it doesn’t use log4j2 so the core should be safe but I expect a lot of our projects (including several of mine) use log4j2. I’m not sure where the source is for the backend jmonkeyengine.org services are so I haven’t checked those

My reading of the vulnerability is that for any version of log4j2 earlier than 2.15 (which came out yesterday, so pretty much any version of log4j2) if a users input is logged (be that from an api call or typed into a chat box etc) then that user is able to execute arbitrary code. I’m thinking multiplayer games are particularly at risk

4 Likes

And you can fix it by either upping your log4j2 version to 2.15 or setting a system property.

`-Dlog4j2.formatMsgNoLookups=true`

ArsTechnica article: Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet | Ars Technica

3 Likes

Thanks for informing us.