Log4shell vulnerability in log4j2

Thought it was worth mentioning this as we are a group of extensive java users and this is a huge vulnerability. I’ve checked jMonkey itself and it doesn’t use log4j2 so the core should be safe but I expect a lot of our projects (including several of mine) use log4j2. I’m not sure where the source is for the backend jmonkeyengine.org services are so I haven’t checked those

My reading of the vulnerability is that for any version of log4j2 earlier than 2.15 (which came out yesterday, so pretty much any version of log4j2) if a users input is logged (be that from an api call or typed into a chat box etc) then that user is able to execute arbitrary code. I’m thinking multiplayer games are particularly at risk


And you can fix it by either upping your log4j2 version to 2.15 or setting a system property.


ArsTechnica article: Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet | Ars Technica


Thanks for informing us.