Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
Discussions Rules and Guidelines
Report this post
Steam client doesnt' use Java so....
No?
There's a reason why only the Java minecraft community is panicing
It would really only be an issue from a server perspective. But client side you basically aren't doing to be doing anything. I mean yes valve is probably patching apache now but its not a client side problem with steam
Java is not very common to be used for desktop applications but rather for web applications.
Also: such news only go public AFTER the issue has been fixed. Look up "responsible disclosure". And they usually give enough time for users to update their ♥♥♥♥.
Edit: haha, posted right before the server issue.
Cloud services use Apache Struts, quite commonly. So as to this:
Yeah, no, lol. There are a bunch of big enterprise apps and cloud service providers that have been kept hopping today. But like I said, Cloudflare has already announced they are updated and have all mitigations in place, and have tested for vulns extensively.
And Clownflare is ... serverside/backend. As are all cloud services. Nothing to do with the client.
Someone gaining access (or worse, control) to backend servers is a pretty big deal, considering we all have information stored or passing through there by being users of Steam.
When talking about risks, one should always take into consideration how likely they are. If the chance is close to zero, there's really no point in panicking. This vulnerability for example can already be patched and prevented in a few different published ways. And it takes more than the existence of a vulnerability in some part of the system to actually exploit it.
Yes ... so?
Maybe I misunderstand why I was quoted by IFIYGD, but that still doesn't change the fact that the client isn't using Java, so there will be no patch for it as for the question. And that also doesn't change the fact that Java is not usually used for desktop applications but web applications.
The bug is a big deal. But there is nothing *you* can do about it. And worrying about Steam being affected is ... pretty much the least of your issues. Log4J is packaged in a LOT of frameworks and business solutions. Apache Solr for example is the most used search and recommendation engine for online stores and CMS and big data applications.
Log4J is one of the two most used logging frameworks in the Java world, so the impact cannot be underestimated (and it's certainly not only Minecraft users panicking about it).
But the bug IS fixed by the vendor, which is the reason we now know about it. It's now on the services to update their applications. And that's something you can be dead sure the big names are doing ASAP. I would rather worry about the smaller services you might use.
Community was down for a short time recently, so I assume Valve has already acted.
To be fair its a zero day so there hasn't been a lot of time to remediate the issue. Its also mega actively being exploited so
Note the researchers did test that the steam servers themselves were potentially vulnerable. Note the 'server' part and not the client part. The servers are likely running Apache or at least some variant that uses the vulnerable software as its used pretty much in a lot of things. This is simlar to when the OpenSSH vulnerabilities started popping up. Its used in a lot of servers and thus its exploitation was a big problem. Log4J is used in a lot of SERVER side software that is based in Java, and especially in a lot of Apache products.
Note that if the Minecraft client itself wasn't vulnerable, or if Minecraft servers were still not using Java (java servers are much more popular because of their ability to mod despite MS desperately trying to get people to move off of Java) this likely wouldn't be causing as much panic amongst gamers. As I said above the OpenSSH issues were much much bigger problem but were of little concern to gamers. I had to do A LOT OF WORK because of it.
But that's an issue for Steam to deal with on their servers. This is being addressed also through edge providers that are actively blocking specific attacks as well
To be clear the client itself isn't' vulnerable and thus no 'patch' is coming for the client
Maybe possibly some server software may need to be updated though I'm not really sure if CS 1.6/TF2 servers use the vulnerable software. To be honest it would be much more likely that addons for said servers might be vulnerable to these attacks.