Log4J exploit - Exploit found in popular Java library

Now I'm curious if anyone's using this exploit in anyway for Old School RuneScape. I won't even pretend I understand most of that, but if it can effect the Java version of Minecraft then there's probably an application for it to be abused in OSRS as well.
 
  • Like
Reactions: marisa # and Cyberia Enjoyer
Shit's funny AF.

In java projects about every library uses log4j. This by itself causes a big clusterfuck due to issues with differing versions of log4j available at runtime. It's extra work to determine which version is being packaged and most programmers don't bother.

Many projects will need to have manual exclusions of log4j added for a fuck-ton of deps then the fixed version added. THEN the project will have to be tested against the webserver itself bc guess what: a lot of times the appserver adds a copy of log4j too. Updating an appserver is a fairly major undertaking.
 
  • Informative
  • Agree
Reactions: Fomo Hoire, The Littlest Shitlord, Toolbox and 3 others
Margo Martindale said:
Because its a mess of java spaghetti code, and no game should even be built on java in the first place
Click to expand...
I still don't understand why it was written in Java. By the time it came out there had to be less verbose languages with the same available libraries.
 
byuu said:
It's just a video game. What's stopping you from just using println?
Click to expand...
Println is garbage for logging and anyone who uses it should be shot. Log messages like "failed to build the block" are garbage. You need log levels and the location of the message in the code. Log4j makes it really easy to print the location of the error, line and class, method name, AND the full stack trace. That stack trace is the difference between a day of work just to diagnose and 10 mins until you know what fucked up.
 
  • Agree
  • Winner
  • Informative
Reactions: Inspector Rex, marisa #, deso2y and 5 others
So if I understand this correctly, a feature that very few users of this extremely commonly used library knew existed, much less used, could execute arbitrary code from any remote server with no security checks. And the problem was reported almost a month before a fix went in, then took another week to get released. The response from Apache about this delay was "what do you expect, we're just volunteers, give us money if you want shit done fast". :story: The absolute state of software "engineering"
 
  • Feels
Reactions: marisa #, Toolbox and 419
Tom Myers said:
Println is garbage for logging and anyone who uses it should be shot. Log messages like "failed to build the block" are garbage. You need log levels and the location of the message in the code. Log4j makes it really easy to print the location of the error, line and class, method name, AND the full stack trace. That stack trace is the difference between a day of work just to diagnose and 10 mins until you know what fucked up.
Click to expand...
Java already has the functionality to print out a full stack trace. I see no reason to use a third-party library just for that.
 
byuu said:
Java already has the functionality to print out a full stack trace. I see no reason to use a third-party library just for that.
Click to expand...
Minecraft uses thirdparty libraries.

These libraries inevitably use log4j.

So even if Minecraft itself doesn't use the library, it's still on the class path and vulnerable.

Edit: look at the fix for PaperMC, which is supposedly an high performance open source Minecraft server. https://github.com/PaperMC/Paper/co...4c2e2da1ce03a5b4656f7be13d75f295846beeeccff17
 
byuu said:
Why does minecraft need some complex third party logging library?
Click to expand...
Just to take the very simplest case where you're logging errors to a flat text file, a production system still needs to deal with issues like "What if the disk is full", "What if the logfile exceeds the maximum file size on the file system", "Can I rotate logfiles so we can delete/archive the old ones", "Is this log() function thread-safe or what", and so on. You can write all that fiddly code for spillover and whatnot yourself, but oftentimes it's better to just use a library that's already done that work.
 
  • Like
Reactions: Smaug's Smokey Hole
Kosher Dill said:
Just to take the very simplest case where you're logging errors to a flat text file, a production system still needs to deal with issues like "What if the disk is full", "What if the logfile exceeds the maximum file size on the file system", "Can I rotate logfiles so we can delete/archive the old ones", "Is this log() function thread-safe or what", and so on. You can write all that fiddly code for spillover and whatnot yourself, but oftentimes it's better to just use a library that's already done that work.
Click to expand...
Yeah but those aren't really concerns a video game should have. If your game client crashes and the logs get lost in some border case, it's not a huge deal.
And frankly log rotation etc. should be handled by an external service supervision system.
 
  • Dumb
Reactions: args
Angry Shoes said:
I still don't understand why it was written in Java. By the time it came out there had to be less verbose languages with the same available libraries.
Click to expand...
The game was started as a joke with little intention of turning into the current behemoth it is.
Minecraft didn't even have proper model import until very recently. Models were constructed and animated by various immediate mode functions. (Despite an early version of minecraft having support for quake 3 models, notch never properly used this for some reason)
Minecraft's codebase (especially the rendering) is a horrible inefficient mess.
 
  • Agree
  • Like
Reactions: Gimmick Account and Chaos Control
byuu said:
Yeah but those aren't really concerns a video game should have. If your game client crashes and the logs get lost in some border case, it's not a huge deal.
And frankly log rotation etc. should be handled by an external service supervision system.
Click to expand...
Why are you arguing about this?

Minecraft is coded in Java and it's a buggy game. Why wouldn't it use a Java logging library?
 
You must log in or register to reply here.
Back