Does an attacker need to be logged in to take advantage of the exploit? Will a whitelist keep my server safe?
Minecraft
Welcome to the Minecraft community on Lemmy and Kbin!
The home for all posts related to the Minecraft franchise: from the classic game to the mobile ports, mods, adventure games, merchandise and similar!
Official Lemmy.world server available!
Lemmy.world hosts an official server that welcomes all players to contribute and have fun:
Minecraft Version: 1.20.x
Address: minecraft.lemmy.world
Please make sure you read our rules before posting.
Rules:
Rules can be clicked on to be expanded.
1: Treat all users with respect.
Bullying, threathening, doxxing, or toherwise hostile behaviors with any of our users will not be tolerated. Be civil, have fun.
2: Posts must be related to the Minecraft franchise.
This includes the main game, titles like Dungeons, fan art, wiki pages, toys, new feature votes, and similar content.
3: No advertising.
If you want to share a product you're a manufacturer or seller of, please contact the moderation team first. Affiliate links to online shopping stores or affiliate coupon codes are not allowed.
4: No piracy.
Links or discussions about cracked versions of games, unauthorized copies of copyrighted material and other similar piracy-related content are not allowed.
5: No NSFW or adult content.
This community is inclusive to users of all ages. Keep in mind Minecraft attracts children and adults alike. Therefore, no NSFW content is allowed.
6: No low-effort meme content.
Memes are allowed, and so are comics or other fan creations. However, low-effort reposts and otherwise overused memes will be removed.
Reddit reposts are allowed.
Reddit reposts are allowed, but you need to include the tag [Reddit] in the title.
Related communities:
-
PC Gaming: [email protected]
-
Games: [email protected]
-
PC Handhelds: [email protected]
-
Minecraft modding: [email protected]
From what I've read, no. It's an issue with some mods using insecure networking code, letting the malicious party to inject payloads to the server or clients.
From the blog post:
The bug is a well known issue with deserialization using ObjectInputStream. The mods affected used OIS for networking code, and this allowed packets with malicious serialization to be sent. This allows anything to be run on the server, which then can be used on the server to do the same thing to all clients, therefore infecting all clients with the server in reverse.
Take my conclusions with a grain of salt, I'm no expert so I might be wrong.