From 38013a92989c529c27f39b596221bbcf5d68c3fc Mon Sep 17 00:00:00 2001 From: Glavo Date: Sat, 11 Dec 2021 12:28:48 +0800 Subject: [PATCH] Issue security warning for CVE-2021-44228 --- .../jackhuang/hmcl/game/LauncherHelper.java | 27 +++++++++++++++++++ .../resources/assets/lang/I18N.properties | 1 + .../resources/assets/lang/I18N_zh.properties | 1 + .../assets/lang/I18N_zh_CN.properties | 1 + 4 files changed, 30 insertions(+) diff --git a/HMCL/src/main/java/org/jackhuang/hmcl/game/LauncherHelper.java b/HMCL/src/main/java/org/jackhuang/hmcl/game/LauncherHelper.java index 010206326..c51c0afd7 100644 --- a/HMCL/src/main/java/org/jackhuang/hmcl/game/LauncherHelper.java +++ b/HMCL/src/main/java/org/jackhuang/hmcl/game/LauncherHelper.java @@ -72,6 +72,11 @@ import static org.jackhuang.hmcl.util.i18n.I18n.i18n; public final class LauncherHelper { + private static final Set UNSAFE_CLIENT_1_7_XML_SHA1 = + Collections.unmodifiableSet(new HashSet<>(Collections.singletonList("6605d632a2399010c0085d3e4da58974d62ccdfe"))); + private static final Set UNSAFE_CLIENT_1_12_XML_SHA1 = + Collections.unmodifiableSet(new HashSet<>(Collections.singletonList("ef4f57b922df243d0cef096efe808c72db042149"))); + private final Profile profile; private final Account account; private final String selectedVersion; @@ -523,6 +528,28 @@ public final class LauncherHelper { } } + // CVE-2021-44228 Remote code injection in Log4j + if (!suggested) { + if (gameVersion.compareTo(VersionNumber.asVersion("1.7")) >= 0 && gameVersion.compareTo(VersionNumber.asVersion("1.18")) <= 0) { + String xmlSha1 = Optional.ofNullable(version.getLogging().get(DownloadType.CLIENT)) + .flatMap(loggingInfo -> Optional.of(loggingInfo.getFile())) + .flatMap(idDownloadInfo -> Optional.ofNullable(idDownloadInfo.getSha1())) + .orElse(""); + if (gameVersion.compareTo(VersionNumber.asVersion("1.12")) < 0) { + if (UNSAFE_CLIENT_1_7_XML_SHA1.contains(xmlSha1)) { + Controllers.confirm(i18n("launch.advice.log4j_cve_2021_44228"), i18n("message.warning"), continueAction, null); + suggested = true; + } + } else { + if (UNSAFE_CLIENT_1_12_XML_SHA1.contains(xmlSha1)) { + Controllers.confirm(i18n("launch.advice.log4j_cve_2021_44228"), i18n("message.warning"), continueAction, null); + suggested = true; + } + } + } + } + + if (!suggested) { future.complete(javaVersion); } diff --git a/HMCL/src/main/resources/assets/lang/I18N.properties b/HMCL/src/main/resources/assets/lang/I18N.properties index 7b3c56059..3d790991a 100644 --- a/HMCL/src/main/resources/assets/lang/I18N.properties +++ b/HMCL/src/main/resources/assets/lang/I18N.properties @@ -455,6 +455,7 @@ launch.advice.forge28_2_2_optifine=Forge 28.2.2 and later versions are not compa launch.advice.java8_1_13=Minecraft 1.13 and later can only run on Java 8 or later. launch.advice.java8_51_1_13=Minecraft 1.13 may crash on Java 8 earlier than 1.8.0_51. Please install the latest version of Java 8. launch.advice.java9=You cannot launch Minecraft 1.12 or earlier with Java 9 or later versions of Java. +launch.advice.log4j_cve_2021_44228=The current version has serious security vulnerabilities. If you use it to join the server, your computer may be attacked.\nOfficials has updated the game to fix the vulnerabilities, re-downloading and installing the current version can solve the problem.\nDo you want to continue starting the unsafe version? launch.advice.newer_java=Java 8 is recommended to make the game faster. For many Minecraft 1.12 of higher, and most mods, Java 8 is required. launch.advice.not_enough_space=You have allocated too much memory, because the physical memory size is %dMB, your game may crash. Shall we continue launching? launch.advice.require_newer_java_version=Minecraft %1$s requires Java %2$s or later, are you willing to download one now? diff --git a/HMCL/src/main/resources/assets/lang/I18N_zh.properties b/HMCL/src/main/resources/assets/lang/I18N_zh.properties index 7b0d0d8b2..a01b842b2 100644 --- a/HMCL/src/main/resources/assets/lang/I18N_zh.properties +++ b/HMCL/src/main/resources/assets/lang/I18N_zh.properties @@ -455,6 +455,7 @@ launch.advice.forge28_2_2_optifine=Forge 28.2.2 或更高版本與 OptiFine 不 launch.advice.java8_1_13=Minecraft 1.13 只支援 Java 8 或更高版本,請使用 Java 8 或最新版本。 launch.advice.java8_51_1_13=低於 1.8.0_51 的 Java 版本可能會導致 Minecraft 1.13 崩潰。建議您到 https://java.com 安裝最新版的 Java 8。 launch.advice.java9=低於 (包含) 1.13 的有安裝 Mod 的 Minecraft 版本不支援 Java 9 或更高版本,請使用 Java 8。 +launch.advice.log4j_cve_2021_44228=當前版本具有嚴重漏洞,使用它加入服務器會讓您的電腦遭受攻擊。\n官方已經更新修補該漏洞,重新安裝此版本即可修復問題。\n是否要繼續啟動不安全的版本? launch.advice.newer_java=偵測到您未使用 Java 8 及更新版本,Java 8 能使遊戲更順暢而且 Minecraft 1.12 及更新版本和很多 Mod 強制需要 Java 8 版本。 launch.advice.not_enough_space=您設定的記憶體大小過大,由於超過了系統記憶體大小 %dMB,所以可能影響遊戲體驗或無法啟動遊戲。是否繼續啟動? launch.advice.require_newer_java_version=Minecraft %1$s 僅能運行在 Java %2$s 或更高版本上,是否下載? diff --git a/HMCL/src/main/resources/assets/lang/I18N_zh_CN.properties b/HMCL/src/main/resources/assets/lang/I18N_zh_CN.properties index b55d79407..059e5d2e6 100644 --- a/HMCL/src/main/resources/assets/lang/I18N_zh_CN.properties +++ b/HMCL/src/main/resources/assets/lang/I18N_zh_CN.properties @@ -455,6 +455,7 @@ launch.advice.forge28_2_2_optifine=Forge 28.2.2 或更高版本与 OptiFine 不 launch.advice.java8_1_13=Minecraft 1.13 及以上版本只能运行在 Java 8 或更高版本上,请使用 Java 8 或最新版本。 launch.advice.java8_51_1_13=低于 1.8.0_51 的 Java 版本可能会导致 Minecraft 1.13 崩溃。建议您到 https://java.com 安装 Java 8。 launch.advice.java9=低于 1.13 的有安装 Mod 的 Minecraft 版本不支持 Java 9 或更高版本,请使用 Java 8。 +launch.advice.log4j_cve_2021_44228=当前版本具有严重漏洞,使用它加入服务器会让您的电脑遭受攻击。\n官方已经更新修补该漏洞,重新安装此版本即可修复问题。\n是否要继续启动不安全的版本? launch.advice.newer_java=检测到您未使用 Java 8 及更新版本,Java 8 能使游戏更流畅,而且 Minecraft 1.12 及更新版本和很多 Mod 强制需要 Java 8。 launch.advice.not_enough_space=您设置的内存大小过大,由于超过了系统内存大小 %dMB,所以可能影响游戏体验或无法启动游戏。是否继续启动? launch.advice.require_newer_java_version=Minecraft %1$s 仅能运行在 Java %2$s 或更高版本上,是否下载?