https://logging.apache.org/log4j/2.x/changelog.html I suggest you check there. The CVE page on that flaw may also provide answers to your question. If you want, you can provide the CVE number or another pointer to the issue so I can analyze it.

ReBoot eredeti hozzászólása:

CVE-2021-44228

cinedine eredeti hozzászólása:

It's not. The client is C++ or C# based as you can see by the countless DLL files it uses. While it's possible to use them in Java, it's also rather stupid doing it to that extend.
Java is not very common to be used for desktop applications but rather for web applications.

I believe the only C# related to Steam is third party runtimes like Steamworks.NET designed to link .NET based games to the native Steamworks runtime.

According to devs at Valve there is nothing to worry about because their services are designed in a way that doesn't allow downloads and execution of untrusted code.

https://www.reddit.com/r/Steam/comments/rd68yp/a_vulnerability_in_log4jjava_logging_package/ho1yyaa/

Is there a way to see what Steam games run on java? Unsure if the Log4j vulnerability would have entry points on Steam games....on Minecraft it does. https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

I fail to see the problem though...

Even if a program or game uses Java then that's no guarantee that it also relies on Log4j. It's not as if this issue applies to everything that uses the Java runtime. Heck, even if a Java program does rely on Log4j then that by itself is also no guarantee that it's open to attack because.. Using Java doesn't automatically imply that remote network connections are a thing.

ShelLuser eredeti hozzászólása:

I fail to see the problem though...

Even if a program or game uses Java then that's no guarantee that it also relies on Log4j. It's not as if this issue applies to everything that uses the Java runtime. Heck, even if a Java program does rely on Log4j then that by itself is also no guarantee that it's open to attack because.. Using Java doesn't automatically imply that remote network connections are a thing.

This was a fairly big issue for Java Minecraft because Java Minecraft is still extremely popular due to its ability to mod, and it was very bad that both servers and clients could execute the code simply by an attacker typing in public chat which would get logged by the server and clients and run the exploit

Satoru eredeti hozzászólása:

ShelLuser eredeti hozzászólása:

I fail to see the problem though...

Even if a program or game uses Java then that's no guarantee that it also relies on Log4j. It's not as if this issue applies to everything that uses the Java runtime. Heck, even if a Java program does rely on Log4j then that by itself is also no guarantee that it's open to attack because.. Using Java doesn't automatically imply that remote network connections are a thing.

This was a fairly big issue for Java Minecraft because Java Minecraft is still extremely popular due to its ability to mod, and it was very bad that both servers and clients could execute the code simply by an attacker typing in public chat which would get logged by the server and clients and run the exploit

They already released a new version, though I'm still on 1.16.5, since my critical mods haven't been updated yet. But it's a simple manual fix.

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

For those who can't install the fix right away, Spigot and other sources have said that adding the JVM flag -Dlog4j2.formatMsgNoLookups=true neutralizes the threat for most Java versions. Spigot and many other services have already inserted the flag into the games they make available to users.

To add the flag users should go to their launcher, open the installations tab, select the installation in use and click "..." > "Edit" > "MORE OPTIONS", and paste -Dlog4j2.formatMsgNoLookups=true at the end of the JVM flags.

Might have to search around for that config file, since I'm on MultiMC. Microsoft can go cram their nagware launcher where the sun don't shine. I'm never using their stinking walled garden store.

ponk eredeti hozzászólása:

You can go offline if you want to, but every news outlet that has talked about this has the same copypaste of "it affects steam, amazon, icloud" when Steam does not even use Java. Update your Minecraft if you've got it (this issue won't trouble you if you don't frequent public servers anyways) and you'll be fine.

news is reporting steam was affected, probably servers, not clients.

=Snappy= eredeti hozzászólása:

Wondering also. Surprised it's not being discussed more.

if also like to know if there is anything going on with steam.

HHH33 eredeti hozzászólása:

ponk eredeti hozzászólása:

You can go offline if you want to, but every news outlet that has talked about this has the same copypaste of "it affects steam, amazon, icloud" when Steam does not even use Java. Update your Minecraft if you've got it (this issue won't trouble you if you don't frequent public servers anyways) and you'll be fine.

news is reporting steam was affected, probably servers, not clients.

=Snappy= eredeti hozzászólása:

Wondering also. Surprised it's not being discussed more.

if also like to know if there is anything going on with steam.

If you look above you'd see the answer was already given that there is no problem in regards to Steam.

Damp Wizard Sleeve eredeti hozzászólása:

HHH33 eredeti hozzászólása:

news is reporting steam was affected, probably servers, not clients.


if also like to know if there is anything going on with steam.

If you look above you'd see the answer was already given that there is no problem in regards to Steam.

thanks, is there official notice?

Damp Wizard Sleeve eredeti hozzászólása:

HHH33 eredeti hozzászólása:

news is reporting steam was affected, probably servers, not clients.


if also like to know if there is anything going on with steam.

If you look above you'd see the answer was already given that there is no problem in regards to Steam.

No JRE in Steam, so yes I'd assume servers. Of course Minecraft players had to update unless they play Bedrock (console/mobile/Win10/11).

HHH33 eredeti hozzászólása:

Damp Wizard Sleeve eredeti hozzászólása:

If you look above you'd see the answer was already given that there is no problem in regards to Steam.

thanks, is there official notice?

No because there was never a need to provide one.

HHH33 eredeti hozzászólása:

Damp Wizard Sleeve eredeti hozzászólása:

If you look above you'd see the answer was already given that there is no problem in regards to Steam.

thanks, is there official notice?

They would have patched their websites.

The steam client itself was never vunlerable

shouldnt you be more worryed about web sites since a lot of them still use java in some way