Minecraft: Java Edition should be patched immediately after severe exploit discovered across web

Minecraft Java Edition still
(Image credit: Mojang)

A far-reaching zero-day security vulnerability has been discovered that could allow for remote code execution by nefarious actors on a server, and which could impact heaps of online applications, including Minecraft: Java Edition, Steam, Twitter, and many more if left unchecked.

The exploit ID'd as CVE-2021-44228, which is marked as 9.8 on the severity scale by Red Hat but is fresh enough that it's still awaiting analysis by NVD. It sits within the widely-used Apache Log4j Java-based logging library, and the danger lies in how it enables a user to run code on a server—potentially taking over complete control without proper access or authority, through the use of log messages.

Best of Minecraft

Minecraf 1.18 key art

(Image credit: Mojang)

Minecraft update: What's new?
Minecraft skins: New looks
Minecraft mods:  Beyond vanilla
Minecraft shaders: Spotlight
Minecraft seeds: Fresh new worlds
Minecraft texture packs: Pixelated
Minecraft servers: Online worlds
Minecraft commands: All cheats

"An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled," the CVE ID description states.

The issue could affect Minecraft: Java Edition, Tencent, Apple, Twitter, Amazon, and many more online service providers. That's because while Java isn't so common for users anymore, it is still widely used in enterprise applications. Fortunately, Valve said that Steam is not impacted by the issue.

"We immediately reviewed our services that use log4j and verified that our network security rules blocked downloading and executing untrusted code," a Valve representative told PC Gamer. "We do not believe there are any risks to Steam associated with this vulnerability."

As for a fix, there are thankfully a few options. The issue reportedly affects log4j versions between 2.0 and 2.14.1. Upgrading to Apache Log4j version 2.15 is the best course of action to mitigate the issue, as outlined on the Apache Log4j security vulnerability page. Although, users of older versions may also be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath. 

If you're running a server using Apache, such as your own Minecraft Java server, you will want to upgrade immediately to the newer version or patch your older version as above to ensure your server is protected. Similarly, Mojang has released a patch to secure user's game clients, and further details can be found here.

The long-term fear is that, while those in the know will now mitigate the potentially dangerous flaw, there will be many more left in the dark who will not and may leave the flaw unpatched for a long period of time.

Many already fear the vulnerability is being exploited already, including CERT NZ. As such, many enterprise and cloud users will likely be rushing to patch out the impact as quickly as possible.

"Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately," Security firm Randori says in a blog post on the vulnerability.

Jacob Ridley
Managing Editor, Hardware

Jacob earned his first byline writing for his own tech blog. From there, he graduated to professionally breaking things as hardware writer at PCGamesN, and would go on to run the team as hardware editor. He joined PC Gamer's top staff as senior hardware editor before becoming managing editor of the hardware team, and you'll now find him reporting on the latest developments in the technology and gaming industries and testing the newest PC components.

Read more
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
New shaders in Minecraft following Minecraft Live 2025
In the year of our lord 2025, Mojang is finally adding shaders to Minecraft, making reflective lighting and water effects more accessible for all
A Path of Exile 2 sorceress casting flaming skulls in a hellish landscape
'We are incredibly sorry': Path of Exile 2 devs apologise for data breach that saw 66 accounts snatched and personal info potentially stolen
Path of Exile 2 early access class key art
Around 66 accounts in Path of Exile 2 were compromised, due to a one-two punch of an old unused Steam account and a backend bug
Steam logo
A web3 free-to-play survival game found to be a front for installing malware on your PC has finally been removed from Steam
Pipboy holds up an open padlock.
A BIOS update could be all that's stopping you or someone else from jailbreaking your old AMD CPU
Latest in Survival & Crafting
An April Fool's Day Palworld game concept about dating Pals
From Palworld movies to Palworld TV shows: 'Everyone under the sun pitched us every idea you can imagine,' says Pocketpair's communications director
Pacific Drive Endless Expeditions spring 2025 update trailer still - a sexy, tricked-out 1980s station wagon being blasted with magic healing electricity
Pacific Drive developers change their mind: A year after refusing to give it mid-run saves, it's getting mid-run saves
minecraft diamond level sword
Minecraft's never going free-to-play because as it stands it's 'the best deal in the world'
New shaders in Minecraft following Minecraft Live 2025
In the year of our lord 2025, Mojang is finally adding shaders to Minecraft, making reflective lighting and water effects more accessible for all
A dried ghast, a ghastling, and a friendly ghast all smiling
The latest Minecraft Live uncovered the tragic truth of the Nether's most bothersome mob, which has unlocked new levels of guilt
Three mobs in their regional forms in Minecraft Spring to Life update
Minecraft Spring to Life update: everything you need to know about the newest drop
Latest in News
A female Zoi making two hearts with her fingers.
Following 24 hours of Denuvo-based backlash, Inzoi is taking a surprising step and removing it entirely: 'We want to sincerely apologise for not aligning more closely with player expectations'
An image of a Helldiver from Helldivers 2 shooting at a red dragon from Dungeons & Dragons.
'Ok, so dragon builds are a thing now': galaxy-brained Helldivers 2 player incinerates a bile titan with a hover pack and a flamethrower
An ancient, angry stone mech from No Man's Sky's new Relics update
No Man’s Sky lets you unearth ancient, angry mechs in the astro-archaeology filled Relics update
Assassin's Creed Shadows promo image
Ubisoft scores a legendary ratio against Elon Musk on his own platform—which hopefully marks a final end to all the Assassin's Creed Shadows' culture war nonsense
Tzarina Katarin Bokha, the Ice Queen of Kislev
Total War: Warhammer 3 rolls out a cool Kislev overhaul, changes befitting Tzeench’s magic, new projectile units and creakier skeletal horses
An image of a golden first place award from Geoguessr
'We're actually getting GeoGuessr on Steam before GTA 6': the Google Street View puzzler arrives on Valve's platform this April