As you may have heard, a Zero-Day vulnerabiliy in log4j was recently discovered, allowing remote code execution.

Cuberite is not directly vulnerable to this issue. However, as Notchian Minecraft clients use log4j to log chat messages, clients for all versions of Minecraft below 1.18.1 can be exploited by this issue.

As Cuberite does not support the 1.18 protocol, all Notchian clients that can connect to Cuberite are believed to be vulnerable to this issue.

MITIGATION: Sanitisation for chat messages has been introduced to Cuberite. This prevents attack payloads from being relayed by the server. UPDATE YOUR CUBERITE INSTANCES TO THE LATEST VERSION AS SOON AS POSIBLE.

For your convenience, these download links can be used to download Cuberite with the mitigiation applied (builds are in progress; if they 404, please wait):

Linux i386
Linux armhf
Windows amd64
Windows i386

Unfortunately due to lack of resources, Mac builds are not available at this time. If you are a Mac use, recompile from source instead.

Cuberite on Android should be updated using the launcher as normal.

December 11, 2021