Healer

Description

Patch up security vulnerbility CVE-2021-44228 (also known as Log4Shell) for minecraft forge 1.7.10 - 1.12.2, by removing JNDI lookup from Interpolator using reflection and replace the default LoggerContextFactory to catch any LoggerContext loaded after this mod. For more specific technical explainations on how I patched it, please refer to the source code instead.

Currently only works for minecraft 1.12 and before. Tested on 1.7.10 and 1.12.2.

Compatibility

If any mod tries to programatically tweak logging configuration, they will fail miserably due to the exhaustive patching. To fix this, healer postpones the patching late enough, until said mods are done with their editing.

As of date, healer has built in support for these mods.

• ForgeEssentials

If you have other mods crashing with log lines like ClassCastException: cannot cast XXXXXXXX to org.apache.logging.log4j.core.impl.Log4jContextFactory, then you have step on one of these mods.

To fix this, complain at my issue tracker, or add -Dnet.glease.healer.patch_stage=XXXX to your JVM launch argument, where XXXX can be any of PRELOAD, PREINIT, INIT, POSTINIT (in time order, with earliest as the first). PREINIT is usually enough to mitigate the problem, POSTINIT should be enough to fix all problem.

To ordinary players

1. If your launcher has patched this already, you will not need this mod to patch the vulnerability.
2. If you applied mojang's fix, you will not need this mod to patch the vulnerability.
3. If you have FoamFix for 1.7, you will not need this mod to patch the vulnerability.
4. If you have used other fixing mods, ask their original authors if they can "catch any LoggerContext loaded after their mod", if yes, you will not need this mod. Otherwise, replace that mod with this mod, or use a launcher that does patching for you, e.g. MultiMC.

To modpack makers

Suggested to include in at least server pack.

1. Client side: in general not needed, unless your player has been living under a rock or intend to play with cracked launchers (which has its own set of implications, and is legally forbidden) that do not patch this. It has been ONE FULL YEAR since log4shell has been disclosed after all.

2. Server side: greatly suggested unless you have an equivalent mod. If you also distribute a server pack, and it is intended for minecraft 1.7~1.12.2, adding this mod is not necessary if you applied mojang's fix. However, since many people don't use the StartServer.bat (or something alike) that come with your server pack, chances are they will not use mojang's fixed log4j2.xml. There are also minecraft server rental service that does not allow customizing the launch command (yes my first server was like that). Technically you should not distribute an edited minecraft_server-1.7.10.jar, so adding this jar would be the most straightforward way of ensuring your server owners getting a fix.

What means Verified?

• Compatibility: The mod should be compatible with the latest version of Minecraft and be clearly labeled with its supported versions.
• Functionality: The mod should work as advertised and not cause any game-breaking bugs or crashes.
• Security: The mod should not contain any malicious code or attempts to steal personal information.
• Performance: The mod should not cause a significant decrease in the game's performance, such as by causing lag or reducing frame rates.
• Originality: The mod should be original and not a copy of someone else's work.
• Up-to-date: The mod should be regularly updated to fix bugs, improve performance, and maintain compatibility with the latest version of Minecraft.
• Support: The mod should have an active developer who provides support and troubleshooting assistance to users.
• License: The mod should be released under a clear and open source license that allows others to use, modify, and redistribute the code.
• Documentation: The mod should come with clear and detailed documentation on how to install and use it.

How to Install