Skip to main content

Mitigating CVE-2021-44228 in Minecraft

If you are using Minecraft 1.18 or older we recommend following this guide to install a patch to mitigate against any Remote Code Execution (RCE) vulnerabilities due to CVE-2021-44228 in log4j.

If you would like to read more about the patch you can read our blog at https://www.creeperhost.net/blog/mitigating-cve/

How to install the patch on a client

This guide will be using the CurseForge app as an example.

First go to https://github.com/CreeperHost/Log4jPatcher/releases/latest and download the Log4jPatcher.jar.

Once its downloaded open up the root of your Minecraft installation (this can be the .minecraft folder or an instance folder of the launcher you are using).

To open the instance folder on CurseForge click on the image of the instance then click on the 3 vertical dots and select Open Folder

Overwolf_2021-12-10_16-18-14.png

Overwolf_2021-12-10_16-18-33.pngOverwolf_2021-12-10_16-18-44.png

It will now open a new Explorer/Finder window where you want to move/copy the Log4jPatcher.jar file to (Do NOT put this file in the mods folder). If the file is name a little differently I would recommend renaimg the file to Log4jPatcher.jar as it will make it easier to follow the rest of the guide.
After moving the file to the folder it should look similar to the image below

explorer_2021-12-10_16-32-57.png

You can now close the Explorer/Finder window and go back to the CurseForge app.
Once back in the CurseForge app click on the settings cog in the bottom right

Overwolf_2021-12-10_16-24-51.png

Now click on Minecraft and scroll down until you see an option named Additional Arguments.
In the textbox below add the following argument -javaagent:Log4jPatcher.jar

Overwolf_2021-12-10_16-30-36.png

When you now click on play it will load the patch for you.

If you do not have the Log4jPatcher.jar in the instance or did not place it in the correct place, Minecraft will crash after clicking play.

How to install the patch on a server

First go to https://github.com/CreeperHost/Log4jPatcher/releases/latest and download the Log4jPatcher.jar.

Now go to where your Minecraft server is installed and copy/move the Log4jPatcher.jar to that folder (Do NOT put this in the mods folder)

You will now need to edit your startup script/arguments and add -javaagent:Log4jPatcher.jar before the minecraft_server.jar.

E.g java -jar -javaagent:Log4jPatcher.jar minecraft_server.jar --nogui

Back to top