/ Blog / papermc-exploit-paper-1.18-1.17-1.16.5

Created: 2021-12-10

Exploit on Paper, Waterfall and Velocity

---

On 12/20/09 at 8:15pm, Paper announced that an exploit has already been found that has already been exploited! This was announced in the official Discord server of PaperMC.

The announcement is clear, immediately update your server(s) to the latest releases. Currently, Paper has released 1.18, 1.17, and 1.16.5. In addition, Waterfall and Velocity has also been released.

All versions are downloadable on MinecraftVersion!

Paper 1.18:   https://minecraftversion.net/downloads/paper/#1.18
Paper 1.17:   https://minecraftversion.net/downloads/paper/#1.17
Paper 1.16.5:   https://minecraftversion.net/downloads/paper/#1.16.5

Waterfall:   https://papermc.io/downloads#Waterfall
Velocity:   https://papermc.io/downloads#Velocity


Major servers like 2b2t have been taken offline due to this exploit. Servers like 2b2t are usually the first to suffer from this.

Known servers will remain offline until a release that prevents this exploit from being used.

Developers of PaperMC announced that there are workarounds, I quote the post below.

 Version 1.8 to 1.10: fix using a custom log4j config. To fix:

Open patched (in cache folder) jar file archive tool
Unzip and copy out the log4j2.xml file
Replace all instances of %msg with %msg{nolookups}
Place xml file in server folder
Run server with -Dlog4j.configurationFile=log4j2.xml flag (before -jar)

Version 1.11+: fix using a custom log4j config. To fix:

Open patched (in cache folder) jar file archive tool
Unzip and copy out the log4j2.xml file
Replace the first instance of %msg with %msg{nolookups}
Replace all 4 other %minecraftFormatting{%msg} with %msg{nolookups}
Place xml file in server folder
Run server with -Dlog4j.configurationFile=log4j2.xml flag (before -jar) 

But what can the exploit do?

We can tell you the information that is currently known about the consequences of the exploit.

The exploit allows code messages to be executed from the server side. This can have major consequences that can easily hurt your server.
Grievances on a grand scale, not just your cool minecraft buildings being removed.

Want to know more about it? Watch the video below.