#general

¯_(ツ)_/¯

Please don't post false and potentially dangerous "advice"like this

Wait when did @coarse lily turn red?

Your eyes are failing, old man.

He was too flustered from you

The color is called Mandy apparently.

?

i put 5+ hours of research into this i know what im talking about

It's extremely easy to trigger the exploit.

If you know what you're doing.

I spent 15 minutes to find what I was looking for.. maybe you are in the wrong path 😂

Everyone should update their servers and restart their clients for the fix ASAP.

i put 5+ hours into my shitposting daily

Same.

And I already dumped the server specs.

🛌

krusic bro!

Bro.

Daily reminder that you can't msg yourself!

it is friday morning bro!

Fact.

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
You know it's fun when major tech news sites pick it up with somewhat weird information

Only 5?

Earlier versions of the article called it a Minecraft bug

really enjoyed reading the issue in apache's github repository for log4j

We do love some responsible disclosure

It's interesting that we wouldn't have this issue, if we knew that this option existed and was enabled by default. Since, most people don't have a use for it anyway.

Bro.

Bro.

Wanted to patch KGBPaper.

Found nothing to patch.

Daily reminder.

We patched this years ago.

triggering yes

rce no

lol

Idriz bro.

Don't tell them.

Ok bro.

Idriz what version is KGBPaper on currently?

Asking for a friend.

1.18.1 (2).

penis :)

ok

i thought KGBPaper was on 1.20 already

ur mom is on 1.20 already

That's the KGBPaper Red members exclusive build.

Ok you can stop being a shit-tier troll now

Turn up the heat or go away

:c

memes go in #gifs-and-memes

shit memes stay in your gallery

I'm not a troll just wanted to post memes

Oke ty

https://twitter.com/_mattata/status/1469144854672379905

reading hard

and ye i just saw this

Hi

oh shit i totally forgot im on the 727 bus rn

https://posili.me/i/2021-12-10_08-35-52.png

That was fun.

bro, it's internal

you need to take it to a psychologist

Yeah.

or a&e

depending on what it is

Looks like Forge 1.6.4 doesn't like that.

Bruh. It legit runs regex, if you do that.

nice

which one for 1.18 and how much ram is overkill

money means nothing just help me pick lmao

(this is bloom.host)

money means nothing?

go with the best

https://bloom.host/minecraft/#order

If you want the whole lineup

all the time hands down

buy hw yourself ez

if money is no object just pay exorbitant amounts and be sure you've got nothing to worry about

the hypixel solution

the log4j bug allowed hackers to gain access to players' computers?

if this was syscraft I'd be !whichhost-ing you rn though. MORE DETAILS

read this:

All the info we can provide is pinned in the #paper-help channel

i can join syscraft on irc

https://i.imgur.com/PH2aKbm.png

that's the lineup

All the info we can provide is pinned in the #paper-help channel

1. idk a lot? maybe max 25 after the hype downs down
2. vanilla
3. Los Angeles, or anywhere US West really
4. Hopefully no more than like $50/mo
5. 1.18

pure vanilla or paper 👀

Paper

I also just joined on irc to join #syscraft

you'll want syscraft-mc

thanks left the other one

or mayhaps syscraft-hosting, i think that's the one for the hosting discussion channel

I haven't IRC'd for a while

hey another irc friend

have something against like... discord?

yes, they suspended my ass

was easier to just pop open thelounge and join #syscraft

true

or you could find the invite conveniently in #community-guilds

:DDDDDDDDDDDD

effort

i can join syscraft from the invite in the topic

The dates for version above snapshot 17w15a have been updated.

i peek into the computer science classroom just to see someone in photoshop with a kekw

How is it possible Microsoft wasn't aware of this? 😵

Well. They aren't omnipotent.

For the launcher versions the snapshot 13w37b switched with 1.6.3 in the order.

the bug was only discovered very recently and only got public a while ago

Ahh, I see. Well I must admit you guys have fixed it really quick.

ShellShock existed for 25 years before being discovered

Sometimes things just get overlooked

Vulnerability was added in Bash 1.03 in 1989, not discovered (or not disclosed anyway) until 2014

how long has this been used for?

It was reported about a month ago to the log4j folks, they fixed it 5 days ago, everyone else just found out in the last day or two

It's known there are bots sweeping the internet looking for things to exploit now but not when/if they were before it was public

mhm, i thought maybe i was safe since i hadn't played mc for 2 weeks but i'll look trought my files to see if i got it, thanks for your anwser!

you should see the message in the logs if you got funnied

you will not see the message in the logs unless you patched

oh poggers I got retweeted by sliced

I'm fame now

logs are appended to not by log4j iirc

so the message will be there

No, it will not.

at least on the client

see #paper-help

also read the pin there

i have read the pin there

we won't tolerate authoritative sharing of fake news about this exploit

they told me you can not see the message if the person knows what they are doing

the pin has been updated several times in the past 2 hours alone

so i believe them

stamp it as fake news then, sure

it is.

never knew how toxic this community is

I don't get why people who haven't been testing and working alongside the entire community of Paper developers for a full day about this issue want to override those who have

We know that logging can be prevented

You're spreading the misinformation. I've been working on this exploit for literally 17 hours. I know how this thing works and I know exactly how it can be exploited to the worst. It's absolutely possible, and VERY EASY to remove it from the logs.

Anyways, we try and be kind to people but we've also been dealing with this sorta stuff since it started, and our patience wears thin. We strive to give you the most accurate and useful information possible, take us at our word that we've ensured we aren't lying.

With things like that, dismissing it or not being cautious enough can quickly backfire. Just a few hours ago we were pretty sure RCE is only an issue on really old Java versions, now we know that is not the case. It is always best to be more careful while these things are still developing

is the CVE out there yet?

doubt

CVE is not yet published

The number is reserved, but the details are not public yet

yeah just found it on github

a nice number to remember

44228

yep

we blame 44228 for my lack of sleep tonight

Based.

Is who disclosed it public information?

I think Alibaba?

Wouldn't surprise me.

"in November the Alibaba Cloud security team disclosed a vulnerability in Log4j2"
from the ars technica article

I'm reading that now too

The scale on this is rather unfortunate

It's a severe security exploit in a widely used library

Not really surprising that it affects a lot of things

Just hope everyone updates in time. Shellshock also had a huge scale and we mostly survived that without incidents.

Yeah, I'd say this is maybe a level below Shellshock and the likes, because this is not in a "standard" library that everyone uses, only in a library that a lot of people use

There a dedicated channel for discussing PRs to papermc.io itself?

No, but I saw your PR

oki

Did Github really remove that? :/

annoying

#paper-dev falls under that, no?

yep

which is a shame, because legacy support is nice

and having one link to auto resolve mentioning issues or PR numbers was nice

darn

@ person on IRC (?) I assumed #paper-dev was just for the server itself

i'd say they're closely related enough to fit in the same channel

I guess?

PR already got seen anyway, dont have to ask about it

and its not like its a breaking issue anyways

you can still download builds

sitting in cafeteria

hear SUPER IDOL DE XIAO RONG behind me

resisting the urge to sing along

absolutely based place you live in, naomi

in fact we should use the new Log4J exploit to play super idol de xiao rong in everyone's clients

SUPER IDOL DE XIAO RONG DOU MEI NI DE TIAN BA YU ZHENG WU DU YANG GUANG DOU MEI NI YAO YEN

YAN*

do i need to go on

Naomi it’s past your bedtime

Also where did your pfp go

oh no

did my discord account get yeeted?

that'd be shit

It doesn’t show in the mentionable people

What did you even do?

literally existing

There you go.

She existed too late

@swift root

no

wat

oh

no

Looks like you’re not deleted naomi

yeah my account still exists

@wispy blade is still hhere

just checked

takes 30 days

after 30, give it a role or something

it'll leave the server

let's hope we don't get to that point lol

yeah im gonna change my discord username to xxnaomibhop2021xx

nah i reach the age of digital consent in my country in 3 days so all good

So you can consent to the deletion of your account?

Still can’t believe someone reported you lmfao

having a role in papermc would be pretty cool

how about "The GPT-3 Instance"

might have to bribe mini in exchange for a beer

Lmao

Just donate money for a heart

Kacper did it

why can't

i

i pressed enter too early why am i this bad at typig

Enter is not a substitute for a space bar smh

i know, enter does not make you jump

man i love all the cybersec experts crawling out of the woodwork to tell us all we're incorrect about everything

Everyone an expert on the internet

if i wanted to talk cybersec i'd call ZOLDER BV

I find it funny people are confidently incorrect

Zolder is cool

cybersecurity "experts" flat out refuting POCs is hilarious

get em kevin

show them your intellect

How many time do people threaten to leave Paper every day in #paper-help? Can we get some stats on this? I've seen it three times today

Too many

~2/week

on average

You should see how many instantly leave after I ping everyone

we've had about 100x the activity we normally do today, so .03 people per day unless they're very entitled

what was their name again

this one kid that pinged literally every staff member

sad that Discord only updates the metrics once a week or so

it's discord

they are suffering from scale

Naomi when?

when what

I believe waterdrunkgirl or whatever it was, when they got banned.

^^

no they also pinged a now banned user

I’m off to sleep. Night everyone. ❤️

The discord snowgiving server getting 4K boosts

Can naomibot see which message you're replying to when you do that?

Today 381 users left this discord, and 1541 joined (o.O)

is the fix for 1.12+ clients by Mojang also apply to modded clients, or is it only for vanilla?

Naomibot lol

Wow that's nice

i am NOT a bot

i am a self-contained advanced AI to have conversations with

Are you sure about that

https://tenor.com/view/are-you-sure-john-cena-ru-sure-about-dat-gif-14258954

pretty darn sure

Yes.

damn I wanted to make a joke but I forgot Naomi is like 5

You know it checks out.

nAomI = nom AI

Hey wdym by that?

wtf aurora

i will not send you anime art i find on twitter and pixiv at all today.

just because of that

Naomi what’s your Line ID

dont have line

Line ID

spot the weeb

do have telegram

and signal

i don't think anyone ever messaged me on line 😦

Line is and has always been the superior messenger; change my mind

Sorry to drill the topic into the ground, but would remote class loading being off in the JVM neutralize this as well?

five, you're forgetting starcraft 2 ingame chat

Not entirely

no.

Oh I’m not into starcraft

I'm not a good Java dev, I'm just going off commits

You'd think it would, but it doesn't at all.

is korean

not into starcraft

LITERALLY HOW

Who is Korean

What else is needed to mitigate Kevin?

explain yourself xernium

Not going to say.

Oh, right. My bad.

I’m Austrian like aurora you pleb

Yeah that was stupid in hindsight. I've been getting irritated with people asking that all day.

technically I'm german I just live in Austria

I kinda want to do a writeup because of how cool this bug actually is but I gotta wait a while.

I'd read it

Help the people in #paper-help

no

I don't have the energy

they can suck my

i gotta wait 3 days to make that joke

bad naomi

ther would not be much to suck so it's fine

Technically I’m Austrian but live in Germany

Damn

don't let me go through all bonks I have

My family is German does that count?

my great-great grandfather is belgian does that count

damn I don't have okayu bonk

sad

i'd whip out the monkegame sauce emotes but i'm lazy

338171

No you did not

yes i did

monkegame has sauce emotes, all from the same shitty venom x konosuba sauce

it's a thing that me and smertie do sometimes

we go to That One Website and click random a bunch of times and "rate"

konosuba
based

you read they're working on the third season, Naomi?

i dont care

komi.

is 1.16.5 patched in server side and client side?

Naomi?

pretty sure they are

if you're on the latest verson

ok thanks

1.12.2 exploit fix updated?

thanks

They're working on a third?

That's cool. I remember enjoying the first two a lot.

they wont bother to fix outdated versions

yeah! https://myanimelist.net/news/63866868

?

Let's not share these kinds kthx

It was literally telling what it was and how to prevent it?

It wasn't anything wrong......

"what it is" is the problem

Bruh?

iirc that video makes it clear what you do to exploit it

Unless that was a different one

Well most definitely if you would have read the description....

Yeah that video is no good here

Okay...

i see some terminal stuff behind

Trying to avoid sharing how to do the exploit

perhaps it demonstrates how to do it?

It does

It does.

yeah thats a no no

But it wasn't showing it in a bad way.

Discord ToS potentially banned such things and it's just not a good idea anyway

people can use things that are meant to be used for good to be used for bad

Maybe in a few days once things have settled and we have established fixes for everything and people have had time to learn about them

Then you can talk about "wow how dumb was this, you can just do X and trigger it"

It's just funny to test it with friends on private servers, because you can learn from it.

But right now that's telling people how to use an attack that people are actively exploiting (and not just against Minecraft even)

shut up smertie

shut up bot naomi

would mojang bother to backport the 1.18.1 fix to older versions tho (servers)

Probably not

People who know how to abuse it, don't have to watch that video.

There are plenty of teenagers in this discord 😛

yeah 1.8 and 1.12 servers are gonna get hurt from now on

Most definitely. 😂

🙃

It's already fixed, if you just use lunar client, or add a simple java startup flag.

Those would be the people who would enjoy using that to crash servers but don't know how to figure it out on their own

FUCKING WRONG

Maybe they found it somewhere else but whatever, not going to share that here

flag doesnt work <1.16.5 iirc

Because?

it DOES work

Aiii 😂😂😂

I'm not telling why or how but it DOES.

Oh yeah, and you can definitely RCE on all versions of Java

So... yeah

It's a slightly different exploit but I've personally RCE'd all versions of java right up to java 17.

the flag works...??

Yes, agreed.

oh nevermind

The flag works, the "oh you're on a recent java version" is total bunk.

yeah spigot folks say the same thing too

Oww, that sucks tbh.

<@&748618676189528155>

paperspigot exploit fix released???

Getting spooky messages from this fella here

this might be a dumb question but can OpenJDK or any OpenJDK distribution (Adoptium, Corretto, Zulu etc) do anything about this or no?

no

User ID pls

also songoda discord lol

all jdk distributions and versions and literally nothing, NOTHING you do regarding java version will fix this.

!ban @sand estuary Steam Phishing

:raised_hands: Banned DTM Panda#4159 (Steam Phishing) [1 total infraction] -- aurora#4484.

is it possible for them to release a fix though?

I'm not sure if it's possible or not.

I think it's probably not possible, but don't quote me on that.

Conspiracy theory: this whole thing is a plot by Mojang to force people to update to the new launcher

no, this whole thing is ACTUALLY invented by the paper mods to increase the popularity of the paper discord server and to drive more traffic to the paper website.

MultiMC. 🛌

Brilliant moves

doesnt work smh

PaperSpigot is unsupported, update to Paper

Many people still don't realize how bad this really is

We will grow to hate this CVE

https://www.minecraft.net/en-us/article/minecraft-java-edition-1-18-1

It's so much more than just MC

Look at this shit

shit ghidra cracked

Ghidra cracked?? enable online mode!! 😠

I had a rather grave realization that I'm not going to share publicly

This isn't good.

I'm surprised at how little media attention this has so far

All I can say is get fucked everyone who use elasticsearch

Wait I think I have one at work for gitlab

knenytv livestream time!

My tweet has reached Japanese Minecraft News https://twitter.com/SaziumR/status/1469241438466899972 😂

I think by the evening tomorrow it'll be more wide

It’s received a lot of attention but just for Minecraft stuff

It’s odd

Realistically it’s a bigger issue outside of MC

because when you ask the average person what comes to their mind of the word "Java", half of the time they'll say Minecraft

Spring

average person doesn't know what that is

They might know Java has something to do with Android

No, sorry. Just another casualty I thought of.

Doesn't spring default to using logback?

Yeah, but many deployments still use log4j2

I just had to switch a machine off it

Oh wew I take a nap and the issue got worse

I actually have to care now ;-;

1.18.1 is released^^ edit: already said here, woopsies

Practically every big MC mod / plugin is gonna have a notification that tells us when updates release tbh 😛

So it’s hard to beat people who are gonna receive an alert

😆 yeah

someone nick my dc account again thx

it's still called naomi

interesting

probably cuz i havent talked in x amount of time

likely

ohno

Oh hey

Naomi has a pfp now

wow

MultiMC also did an update

i have a pfp?

no, multimc's patch screwed up some instances

So perhaps either they broke it or the two updates clashed

mojang's update had nothing to do with multimc

https://i.imgur.com/20yrP7j.png new github buttons design looks worse now

when paper 1.18.1

what the fuck is that

#❗-1-18

ty

@radiant oriole btw https://twitter.com/bad_packets/status/1469225135504650240

Yeah I saw that earlier

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
😄

we do love a good score

Oh the CVE is public now

Is it actually a 10?

According to Apache

Didn't the post originally say that build 398 of 1.17 fixed the exploit? Now it's 399?

https://logging.apache.org/log4j/2.x/security.html

yes, I updated it because our initial fix had flaws

Nice.

A solid 10

Gotcha, thanks. May be worth another @ everyone because we thought we had fixed it. Really appreciate the work though

Even gave it a 9.8.

afaik the initial fix blocks the RCE and info leak but not the DoS

But the DoS seems to not work on Paper anyway, at least not on newer versions?

I guess maybe it would if you spammed it enough? Dunno if anyone tried

On vanilla it was a single attempt killed the server, on paper your console was just useless for 30 seconds or so

Still though, update

Quick question, does build #66 1.18 paper have the fix for the security issue?

see #announcements

I read that but I dont quite understand im sorry. So it does include the fix?

Paper 1.18 #66 or higher

Thank you so much!

Versions Affected: all versions from 2.0-beta9 to 2.14.1

So hey, 1.7 might be ok 😄

sup

Does this fix protect clients from the exploit as well?

No

You need to update clients too

For 1.12+ vanilla that just means restart the game and launcher

If you're using forge, fabric, or any other launchers the fix might be more involved, check with them

Fabric looks like they're saying it will automatically install.

If you update to the latest version of Fabric Loader yes its fixed

forge just tells you to use the flag though

hi/hola

no shit

I mean there's a reason that the head of tech at Mojang was tweeting about it

And they patched the vanilla client

asap

give it a few hours, news sites are already starting

might dm this to the CEO of Zolder BV

To be fair, this isn't exactly Mojangs fault

see if they continue zoldersessions finally

I'm gonna punch the next news page to call this a minecraft exploit

lol

It's an exploit by a 3rd party library (won't go further into detail on how it works)

no because it's already fixed

Not on a 1.12.2 server running outdated software. 🛌

And outdated utility clients.

https://www.hitc.com/en-gb/2021/12/10/minecraft-log4j-vulnerability-exploit-fix/ lol

yes

I just send them an angry message already

like

they even acknowledge that it affects a lot of software at the end of the article

I news providers trying to “jump in” just making more chaos.

But this is just

“Minecraft exploit!!! OMG”

What's up with 1.5 that was my favourite version 😩

There were grass blocks, dirt blocks and ugh

https://twitter.com/aurora_smiles_/status/1469276906247892997

what could the security exploit do tho?

Remote code execution.

Finally a worked force op!

2021 free download

The launcher versions above 13w39a which is a 1.7 snapshot have their date updated which suggests they have been updated with the fix.

Rip people playing tekkit on 1.6.4

lol, every channel is talking about this

1.6.4 doesn't use that library. 🛌

Unrip people playing tekkit on 1.6.4

jokes on you I play tekkit on 1.2.5

what does that mean at all

I can tell your computer to do stuff

oh

Just by sending you a chat message

That's a remote code execution

imagine just restarting everyone's pc on a server

Worse

yea

Imaging someone using your computer to host child porn or something

oh

I can make your PC hack the FBI

installing cryptominer

that's very bad

So they will come knock

imagine enslaving an entire server community's machines and networks as part of a botnet that commits international crimes 😎

or just send virus links

This is basically a virus, lol

i mean, yea

what if people just... didnt do that, and we played minecraft

where's the fun in that!

This affects so much more than just Minecraft

We just happened to be the first to understand the scope

The apache foundation sure didn't

was the log4j2 always there

or

did something come with it

And idk if Alibaba did

oh, ok. This is big, lol

yea

is 1.8 safe to play on at all at this point

why logging library even had capabilities to do such things in the first place though

https://twitter.com/aurora_smiles_/status/1469276906247892997

I decided I wanted to start a server like 2 weeks ago... Excellent timeing

yea

its part of the server/client so it has the same perms as the client/server

Yea it was defo underestimated it seems x)

(By certain other parties)

Apache said the gonna release in 72 hours yesterday

imagine you playing chill then you start to see things in your compture

They since deleted that whole thread 😂

Yea really fun

and released it now lol

tekkit 1.6.4 the classic days

let's go back

ah the classic days, where cars had white tires and i was unborn

😔

just don't use your computer, ez fix

Wait, does the exploit affect game clients?

Or just servers?

plays on pojag launcher on mobile

yes

And much more

imagine a exploit like this in discord

that would be so scaryt

Isn't it a log4j thing?

how could the simulation do this

The client also implements log4j

well you know minecraft logs every message from the chat, even when you spamclick the bed to go to sleep

next time im gonna fly bawl click on beds

Heres how stuipidly easy and dangerous this exploit is... incase anyones wondering the severity

discord has other problem- ‘uwu you got fwee nitwo pls sign up with youw steam account here <3’

Basically, type type, sned command, take over a remote computer

I shut my server down 😮

@void void Don't send details about the exploit or how it's done here - see the pinned message in #paper-help

oop, sry. noob

oh so that's why some servers just crashed ig

Yes

Do this bug gonna be fixed on 1.12.2 ?

All the info we can provide is pinned in the #paper-help channel

Damn a lot of enterprise software uses java.

Like cash registers on the supermarkets.

gotta get into cash register logging systems

yes I'll buy one ||not gonna type it but the thing|| please

Can I buy jndi for 50 dollars plz

Tbf tho, you probably aren’t going to be able to log messages to a cash register as a customer

Oh I didn’t read one message under

thanks for buying with us! here's your discount for $9,999,999

tosh, edit pls

Srsly this actually might work

don't share anything too detailed.

yeah just gonna nuke it lol

It's way too late anyways

we still fight the spread!

the less 12yos trying this the better

Lmao yes

Haha watch youtube

Finally can get op on my FAV server

😻😻

On the bright side at least in the mc community the 12 year olds won’t know how to set up the thing so hopefully it shouldn’t be too bad until someone releases super force op hacked client for $300 and hopefully by then most servers will have updated

Actual latest would be 1.18 but 1.17.1 is latest stable. Also why did you crop out useful error info?

Oh wait he deleted his messsage :/

Ok cool

hangar wen

Hello

Whats happening here

brekfast

Like the issue?

Some security issue

All the info we can provide is pinned in the #paper-help channel

Finally https://www.heise.de/news/Kritische-Zero-Day-Luecke-in-log4j-gefaehrdet-zahlreiche-Server-und-Apps-6291653.html
@vernal moth

german website

bad security bug, should shutdown and backup your server until you verify your host updated

^^

everyday's bread

what's situation with log4j?? is now things safe or nah

All the info we can provide is pinned in the #paper-help channel

day #185 of trying to get abs (yesterday): no exercise
day #186 of trying to get abs (today): 50 Zone Minutes. Did 25 minutes of high intensity interval training. I am tired.

Just use one of these apps lol. You'll get abs in 30 days /s

Fr

Hi snoopa!!

endermen have 2 eyes, but with looting III you can get four of them

english version

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

https://www.spigotmc.org/threads/534760/

1.18.1 spigot release

no

no

wHeN pApEr /j

when a working 1.18 fishing plugin... Far more important IMO

basically 1.18.1 is network compatible with 1.18 like 1.16.5 is to 1.16.4?

told my economics teacher to watch JoJo lmao

weeb

nice

im proud

tell your teacher to stop making you guys study and watching anime w you guys instead

i ❤️ gypt

😩😩

I love the grind tho…

You joke, but home workout improved my strength quite a bit

KENNY STREAM!

Paper general has improved my constitution

wow really no way!

this is so crazy!

https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition

are you just an update bot soyab

yes

without the bot tag

I send all news related to not just minecraft but discord too.

I didnt say it was only minecraft related

I am a bot yes.

I look at twitter.

one of the worst things that can happen

prod going down on a friday

you mean best things

everyone loves working on weekends

@untold meadow BEST kezz

@twin lagoon BEST miceaheil

no more push to prod friday

Hi Michael hi kezz!!!

hey owen

Hi Naomi!

HAHA MY BUS DRIVER IS WEARING A FEDORA

Based bus driver

👀

he likes stepping on the gas my god

m'lady

Hru noah!

is my world normal? I just encountered this on the paper 1.18 snapshot

that's happened to me so many times in vanilla singleplayer that i wouldnt worry about it

sure, thanks

what are you doing here hank

english mode = true

chat = 💀

english mode = off

For MC 1.18.1, does the client fix the fog issue or is it the server that needs to be 1.18.1?

wow! so funny! you must be the winner of the Hilarity Championship!

.try

https://tryitands.ee/

I did. The client updated but server didn't. Fog seems the same? But that doesnt make sense

Thought the client handled rendering

Paper 1.18.1 build out

is it stable?

thanks soyab update bot

My uwu plan failed

If you watched the stream you would understand

Log4j

What does this exploit do

Bad things

Update

I need 1.8.9 one

Haha

#paper-help pins

i actually won this one

Gives you free robux.

uh anything the attacker wants

How to fix for 1.8

Fact

I dont play fortnite anyways

Theres a JVM argument to fix it

Robux..

Not vbucks

Roblox*

It went over my head

Oh yea

Not quite but its really dangeroud

idk. fog has been really bad ever since i updated my client to 1.18 and since the server has nothing to do with rendering its probably JUST the client. unless the server is absolutely refusing to send chunks which it hasnt dont before

I would link a video which shows how it works but the mods already got angry, so i wont do that xD

There are public posts about it

Update to .1

i've already put the JVM argument and it is not patch

If there werent people wouldnt be telling everyone about it

It should be

Because it doesn't fix them all.

????

The Argument only works on newer versions

oh

^

#paper-help pins

Is there a way to start a server with a datapack like the start the world from scratch?

And yes this exploit is as bad as it gets basically

Anyways it shouldnt be noticeable from a player perspective afaik

I've been trying to start with terralith

But the biome blending is trash

i have a doubt

Its even bigger than the one that allowed for tokenlogging in 2020

Wait i have purpur

can i use petoradactyl on a existing server

So I wanted to start it with the chunks generated within terralith's generation

I replaced my 1.17.1 to the newest one

This affects everything that uses log4j, not just java

Is it safe now?

My company is running around in circles

Yes justin

Is log4j available outside of java?

Yey

No but virtually every company has a product that uses log4j

Run this in your console.

Apple is affected

Tesla cars are affected

If it says 2021 you have a problem.

no wait then ....

It just said it

Did you mean outside of Minecraft then

Nooo

If the responds is 2021

we can play roadkill sim irl

Wth

Its not 2021

?

What does yours say?

Lemme ss

Thats good

wait lemme try it on my other server

If the server respond would be 2021 it wont.

You give it a var as parameter, and normally it would give you back the value of that var, which it now wont.

For example if the server would say 2021, players could use ${jndi: for example

oh sh*t

Which could be very bad

my other server says 2021

Just update the paper

hola :v

its on 1.12

Oww, than you have to wait for paper to update it.

i think there is 1 for it

There isn't.

Degraded performance on GitHub Actions.

there won't be

There is a way tho

Fun.

It says in paper pins

There is. You could block the event by writing a plugin for it.

Or remove the class.

You can just add the log config…

Bungeecord isnt affected

I thought it was?

Paper didnt make bungeecord

This bugg isn't paper related at all?

No, bungee cord doesn’t use log4j. Paper’s fork of bungee cord, Waterfall does, and so it needed an update.

I have bungeecord jar

then you are fine.

Can i replace it with waterfall

yes

People are using the exploit to crash servers like Mineplex

Its massive

read pins in #paper-help on how to update it for 1.12

I did that

Now my server crashes every min

wait why does #starlight-github exist on this discord?

*restarts

Starlight is a PaperMC thing now.

Since leaf joined

oh

post crash logs in #paper-help then, a plugin is probably broken and causing it

did 1.18.1 fix the exploit?

yes

its fixed on all versions now afaik

i mean vanilla 1.18.1

yeah all vanilla versions should be fixed ,it should download a new jar if u open minecraft

oh so fast all versions

It's not a new jar but yeah

Vanilla 1.18.1 is the only vanilla server version (>1.7) where it’s fixed without having to do anything extra tho.

woah woah I'm late

https://twitter.com/slicedlime/status/1469277537490677766 maybe i understood incorrectly idk

what exactly is the security issue that they found?

oh so what is it? i thought it would download a new jar

Sliced lime specifically says “clients” and I specifically said “servers”, two different things

Hi Sherman!

The client isn't just a single jar, it's a bunch of pieces and the launcher downloads them all

(Out of curiosity I'm nowhere near competent enough to abuse it lmao)

ello Owen

oh my bad, didnt pay attention

They updated some of the pieces, not the main client jar

Like, for the client all of its dependencies are separate files, all of the assets are, etc

oh got it

exploit uses the sugma library to blow up

haha

That's how they could get it done so fast, 1.12+ they only had to update a single file since it was an asset all modern versions shared

for reals though what happened

read pins in paper help

Exploit in log4j2 that can cause arbitrary code execution

Triggered by, among other things, messages in chat

Affects clients too so if you join a server and someone sends one of those messages they can hack your computer

well i know it's an exploit, I was curious as to what the exploit actually was

ah

how the hell did that happen in log4j of all things

Enterprise bullshit

fair enough

Yea not something you’d expect, honestly

It’s a logger!

It logs too much.

I guess vulnerabilities are always in the most unexpected of places

https://tenor.com/view/log-power-fire-burning-mad-gif-16474420

wow what a randomgif

Logging logger logged too hard

it's always interesting when people write malicious stuff in languages that aren't C or C++ if you ask me

Well it wasn’t meant to be malicious….

Someone thought your logger should be able to look shit up from a server to decide how to log things

I guess just, they made a big oopsie.

good point haha

Yes, a small error in judgement.

I'm gonna assume Minecraft isn't the only victim of this lmaoo

its not

whole world

Steam, iCloud, but so much

Steam search, iCloud, anyone who uses elasticsearch, etc

i hope felenov gets backdoored

honestly

man deserves it

elshout backdoor

writing the backdoor in elshout sounds like a good idea

ello aurora

I'm in a xisumavoid video 😄

he's probs the one backdooring

literally famous now

true

Ayo? 😳