Minecraft: Education Edition is NOT affected by CVE-2021-44228 - Apache Log4J Vulnerability

Israt Quazi

• December 13, 2021 20:25
• Report a Concern

Hello Everyone,

I noticed on the Minecraft support page it mentions the vulnerability about Minecraft: Java Edition. However, I did not notice any mention of Minecraft: Education Edition. Wondering whether we need to do anything from our end to protect our users for Minecraft: Education Edition?

0

• Official comment

  

  Penny Support

  • December 15, 2021 02:46

  

  Minecraft: Education Edition is not affected by this vulnerability.
• 

  Scott Hine

  • December 21, 2021 22:10
  • Report a Concern

  Hi just another comment on this.

  The JNDIlookup.class found in "C:\Minecraft\minecraftedu\minecraft\libraries\org\apache\logging\log4j\log4j-core\2.0-beta9\log4j-core-2.0-beta9.jar" of EDU version 1.17.32 isn't affect by the vulnerability?

  Cheers

  0
• 

  Penny Support

  • December 21, 2021 23:56

  

  Scott Hine - this path isn't associated with Minecraft: Education Edition, it looks like you may have the old version of MinecraftEDU installed?  

  0
• 

  Penny Support

  • December 22, 2021 00:00
  • Edited

  

  MinecraftEDU was discontinued in April 2016 and is no longer supported.  It's possible that this application would be affected by the Apache Log4J Vulnerability since no patches have been created for it specifically.

  0
• 

  Scott Hine

  • December 22, 2021 00:43
  • Report a Concern

  Thank you, yes i found that some of our PCs had an old version just sitting in the root of C: so we are deleting this as its not in use.

  Cheers

   

  0
• 

  Greg Corbin

  • January 08, 2022 15:12
  • Edited
  • Report a Concern

  Penny

  My apologies, but I would like to get clarification on this answer with respect to the Log4j vuln.
  
  1) Does Minecraft Education Edition use Log4j and if so, what versions of Log4j?
  2) Are all versions prior to 1.17.x (supported and unsupported) of Minecraft Education also not subject to the Log4j2 vuln (CVE-2021-44228)? 
  3) Have any Minecraft Education Editions (supported and unsupported) used Log4j version 1, and if they have, are they subject to Log4j vuln CVE-2021-4104, which also provides RCE access using JMSAppender?
  
  Thank you in advance for your response...
  
  

  0
• 

  Penny Support

  • January 12, 2022 18:44

  

  Hi Greg Corbin, I'm happy to answer your questions.

  The Log4j vulnerability is based on a Java library.  Minecraft: Education Edition is based on the Bedrock version of Minecraft, which has no Java code.  So our edition is not vulnerable to attacks that exploit this issue.

  0

Please sign in to leave a comment.