Microsoft has urged all Minecraft Java owners to update their game now to avoid a nasty security vulnerability.
The issue allows for remote code execution on Minecraft servers by pasting messages into a chat box, and was flagged online by tech security analysts last Friday. Eurogamer contacted Microsoft at the time.
On Sunday, Microsoft responded with a blog post on the Minecraft blog, and told all Java users to update their games immediately.
For most, this will be as simple as restarting their games to get the new update - but those on modified clients and third-party launchers may need to do more. There's more details on the Minecraft blog.
This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
Player safety is the top priority for us. Unfortunately, earlier today we identified a security vulnerability in Minecraft: Java Edition.— Minecraft (@Minecraft) December 10, 2021
The issue is patched, but please follow these steps to secure your game client and/or servers. Please RT to amplify.https://t.co/4Ji8nsvpHf
"Player safety is the top priority for us," Microsoft wrote in a tweet from the official Minecraft account. "Unfortunately, earlier today we identified a security vulnerability in Minecraft: Java Edition.
"The issue is patched, but please follow these steps to secure your game client and/or servers. Please RT to amplify."
There's no known issue associated with the Bedrock version of the Minecraft available for Windows 10 and 11, as well as consoles.