The recent week was full of slowly-breaking news about a software component called Log4J and how it’s vulnerable to attacks by hackers. That’s not really news, of course — there are dozens of bugs and “exploits” found every day on all manner of apps. It turns out, however, that Log4J has been used as a handy component in a lot of applications, including Minecraft: Java Edition. The vulnerability lets hackers access computers using the Minecraft chat feature.
Tons of people took to the Internet to complain about how Log4J “officially ruined their weekend.” The fact is that a ruined weekend is the least of your worries, especially if you run your own Microsoft hosting server. Of course, the immediate danger seems to be over — Microsoft has issued a patch that will fix Log4J in Minecraft. It’s a whole different story if you’re running a Minecraft server. If you run a Minecraft server, you and your players are vulnerable until you go through the steps I’ve described below. This post will also tell you all you need to know about Log4J and how you can have a secure and reliable Minecraft server.
What is Log4J?
Log4J is an open-source logging software specifically developed for applications created with the Java framework. It seems that almost all major applications written in Java use Log4J in one way or another. That means a lot of big names are going to scramble to issue security updates and patches for their applications. Microsoft is no exception — worse, it seems the Log4J vulnerability or “exploit” is even more effective when it comes to Minecraft. Naturally, vulnerability is limited to Minecraft: Java Edition, and other versions are immune. Then again, the Java Edition is the one you use to host your own Minecraft servers. But what is the Log4J exploit exactly?
The Log4j Minecraft vulnerability is not exactly straightforward. To explain what it does will take too long without adding much value to stopping it. Instead, let’s go over the basics that will help you get a grip on things as a Minecraft server owner. Log4J in Minecraft was a “zero-day” exploit. That means no one knew it was there and that’s why it was so effective. Now that the companies have discovered the vulnerability, they can quickly fix it and automatically update their applications. Of course, there are always cases where users fail to get the necessary patch or in some other way continue to be vulnerable to the attack. A Minecraft server is the most likely scenario for this kind of delayed vulnerability. That’s because the automatic update isn’t enough for Minecraft hosting. But that’s no cause of concern. Securing your Minecraft server isn’t that hard. In fact, if you follow the simple steps I’ll show you below, you can quickly make things right. Let’s see what these steps are.
What is Minecraft Hosting and Why is it more Vulnerable to Log4J Error?
I’ve pointed out before that the vulnerability of Log4J in Minecraft is a much more serious issue if you host your own Minecraft VPS server. But what exactly do we mean by Minecraft hosting? Is it different from playing online? And why is it more critical? To clarify things, I’ll go over some quick definitions. Make sure to follow and see if they apply to you and if you need to do anything to keep your computer and your Minecrafting safe and secure.
Impress your friends on game night or just start a commercial multiplayer server for Minecraft, Virtual TableTop games, and more! 
Get Your Game Face ON
First, you need to know if you’re self-hosting your Minecraft games or using Minecraft Realms. Naturally, if you’ve paid a third-party hosting provider and installed Minecraft on your own server, you definitely are self-hosting. There are a lot of reasons why a self-hosted Minecraft game is so popular despite it being more challenging to set up. Actually, the same is true for any kind of remote game hosting, including VTT board games.
How to Fix Log4J on Your Minecraft Server?
The first thing you need to do is to check which version of Minecraft you’re running on your server. The Log4J exploit only affects Minecraft version 1.7 and above — so if you have Minecraft 1.6, for example, you’re in the clear. Now, the first thing you should try is to update your Minecraft to version 1.18.1, which is patched to fix the issue. If you can’t do that, just follow these simple steps, based on the version of Minecraft installed on your server.
Steps For Minecraft 1.7 – 1.11.2
First, you need to download this XML file from Mojang and place it in your server’s working directory (where the game files are).
Next, insert the following command into the Minecraft startup command line:
-Dlog4j.configurationFile=log4j2_17-111.xml]Steps For Minecraft 1.12 – 1.16.5
Download this other XML file from Mojang and place it in your server’s working directory (where the game files are).
Next, insert the following command into the Minecraft startup command line:
-Dlog4j.configurationFile=log4j2_112-116.xmlSteps For Minecraft 1.17
No need to download anything — simply insert the following command into the startup command file:
-Dlog4j2.formatMsgNoLookups=trueSteps For Minecraft 1.18
Upgrade to 1.18.1 or enter the following code into the startup command line:
-Dlog4j2.formatMsgNoLookups=trueEnsuring a Secure and Reliable Minecraft Server
With your Minecraft server now secured against Log4J, all that remains is to let your players know it’s safe to play on your server. This is especially critical in case you’re hosting a Minecraft server for pro gamers and not just your group of friends therefore, it’s important to be familiar with Gaming Server Security Best Practices.
We should probably hold the champagne for now, because there can never be such a thing as a secure server. You will need to continue monitoring and maintaining your server and its security. Without the right hosting provider, all of that effort won’t amount to anything. Cloudzy’s Minecraft VPS services are equipped with smart DDoS protection and AI-powered firewalls that provide your Minecraft servers with the last word in security and reliability.
Remember, with the recent DDoS attacks on Minecraft servers, a DDoS-protected VPS is necessary for any decent Minecraft hosting. Don’t hesitate to take a look and ask us anything you’d like to know.
FAQ
What is Log4J and why is it important to me?
Log4J is the name of an open-source component that a lot of Java applications use to log activities. Hackers have found a vulnerability in Log4J and they started a large-scale attack using Log4J, targeting mostly Minecraft servers and player’s computers. Log4J lets attackers gain access to everything on your PC with just one line of text.
Is it safe for me to connect to Minecraft Realms now?
Of course. Microsoft quickly fixed its Realms servers so if you have a subscription, you can continue using them as usual. If you run your own Minecraft server, however, you should make sure it’s secure by following the steps in this article.
How do I make sure my Minecraft server is secure for my players?
There are a lot of security measures to consider when making your servers safe for players. Naturally, the most immediate problem to deal with is the Log4J vulnerability and you can fix it using the steps in this guide. You can also read this article on extra steps to secure your server.
Will a DNS server help with the security of my game server?
Using a DNS server for online gaming can help increase the security of your personal data and prevent malware attacks on your device while playing online.
