Skip to main content

Minecraft: Education Edition is NOT affected by CVE-2021-44228 - Apache Log4J Vulnerability

Comments

7 comments

  • Official comment
    Penny Support Team
    Beacon of Knowledge Expert (Gold) Support Team Member

    Minecraft: Education Edition is not affected by this vulnerability.

  • Scott Hine

    Hi just another comment on this.

    The JNDIlookup.class found in "C:\Minecraft\minecraftedu\minecraft\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9\log4j-core-2.0-beta9.jar" of EDU version 1.17.32 isn't affect by the vulnerability?

    Cheers

    0
  • Penny Support Team
    Beacon of Knowledge Expert (Gold) Support Team Member

    Scott Hine - this path isn't associated with Minecraft: Education Edition, it looks like you may have the old version of MinecraftEDU installed?  

    0
  • Penny Support Team
    Beacon of Knowledge Expert (Gold) Support Team Member

    MinecraftEDU was discontinued in April 2016 and is no longer supported.  It's possible that this application would be affected by the Apache Log4J Vulnerability since no patches have been created for it specifically.

    0
  • Scott Hine

    Thank you, yes i found that some of our PCs had an old version just sitting in the root of C: so we are deleting this as its not in use.

    Cheers

     

    0
  • Greg Corbin

    Penny

    My apologies, but I would like to get clarification on this answer with respect to the Log4j vuln.

    1) Does Minecraft Education Edition use Log4j and if so, what versions of Log4j?
    2) Are all versions prior to 1.17.x (supported and unsupported) of Minecraft Education also not subject to the Log4j2 vuln (CVE-2021-44228)? 
    3) Have any Minecraft Education Editions (supported and unsupported) used Log4j version 1, and if they have, are they subject to Log4j vuln CVE-2021-4104, which also provides RCE access using JMSAppender?

    Thank you in advance for your response...

    0
  • Penny Support Team
    Beacon of Knowledge Expert (Gold) Support Team Member

    Hi Greg Corbin, I'm happy to answer your questions.

    The Log4j vulnerability is based on a Java library.  Minecraft: Education Edition is based on the Bedrock version of Minecraft, which has no Java code.  So our edition is not vulnerable to attacks that exploit this issue.

    0

Please sign in to leave a comment.