Log4J Attack on Docker container! How bad is the Damage ?


Senu

Recommended Posts

Yea sorry forgot mentioning that it's a Minecraft server (binhex-minecraftjava).

Im pretty sure it's log4j because in the game-log files I see the chat Message used by a very suspicious username "INETDataSurveyP35x".

Edited by Senu
Link to comment
17 minutes ago, Squid said:

One of the upshots of docker is that the rest of the files on your server that you have are only visible to any given app if YOU give the app permission to them.

 

@binhex, any thoughts?

as im sure anybody who runs minecraft java is aware (well reported on the internet), minecraft was highlighted as having the log4j vulnerability, this was then patched by mojang and quickly released, but obviously the patch and fix is only available for the current latest version of minecraft java, if you run earlier versions then you are still vulnerable,

 

im assuming the OP was indeed running a version prior to the fixed version (1.18.1), there are according to mojang certain mitigations you can do for earlier versions, but this would be up to the user to perform these, link to doc:- https://help.minecraft.net/hc/en-us/articles/4416199399693-Security-Vulnerability-in-Minecraft-Java-Edition

 

so as far as damage limitation goes, as long as the OP did not add any additional volume binds then it will be limited to /config only, so a quick restore from backup or at worst, copy your world somewhere, then delete everything in /config, fix up to prevent the vulnerability and restart container and copy the world back should suffice.

  • Like 4
  • Thanks 1
Link to comment

I tell ya what, I will firstly put a big fat warning on my threads and secondly I will see if I can detect the version of Minecraft jar, if so I can attempt to patch for the user using the guidance in the link above.


Edit just to be clear, anything running Minecraft Java is potentially vulnerable when using earlier versions, so mineos-node and crafty images are also prone when not running Minecraft server latest versions.

Sent from my CLT-L09 using Tapatalk







  • Like 1
  • Thanks 1
Link to comment

@binhex @squid ... you all went above and beyond!

 

I really appreciate the Help. I'm still quite new to the whole unraid World and this in my first question on the forum here.

Really cool to see a active and supporting community.

 

I didn't Bind any any Drives/Directories to the container so the damage is minimal.

I'm using the container with a "custom" forge.jar still running 1.7.10.

 

Link to comment
17 hours ago, Senu said:

@binhex @squid ... you all went above and beyond!

 

I really appreciate the Help. I'm still quite new to the whole unraid World and this in my first question on the forum here.

Really cool to see a active and supporting community.

 

I didn't Bind any any Drives/Directories to the container so the damage is minimal.

I'm using the container with a "custom" forge.jar still running 1.7.10.

 

yep running any minecraft server v1.7.1 to v1.18.0 will expose you to the vulnerability, so that def explains why it happened. 

 

So i've done what i can here, i have spammed all Minecraft Java support threads that i own with a warning and what to do to patch, i have also automated patching of binhex/minecraftserver, however its not possible for me to automatically patch mineos-node or crafty (multi minecraft server frontend), as configuration for each server is done through the server web ui and thus must be done by the user for each running minecraft instance.

  • Like 2
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.