Issue security warning for CVE-2021-44228

2025-09-10 04:16:02 -04:00 · 2021-12-11 12:28:48 +08:00 · 2021-12-11 12:28:48 +08:00 · 38013a9298
commit 38013a9298
parent 5ffbd16800
4 changed files with 30 additions and 0 deletions
--- a/HMCL/src/main/java/org/jackhuang/hmcl/game/LauncherHelper.java
+++ b/HMCL/src/main/java/org/jackhuang/hmcl/game/LauncherHelper.java
@ -72,6 +72,11 @@ import static org.jackhuang.hmcl.util.i18n.I18n.i18n;

 public final class LauncherHelper {

+    private static final Set<String> UNSAFE_CLIENT_1_7_XML_SHA1 =
+            Collections.unmodifiableSet(new HashSet<>(Collections.singletonList("6605d632a2399010c0085d3e4da58974d62ccdfe")));
+    private static final Set<String> UNSAFE_CLIENT_1_12_XML_SHA1 =
+            Collections.unmodifiableSet(new HashSet<>(Collections.singletonList("ef4f57b922df243d0cef096efe808c72db042149")));
+
    private final Profile profile;
    private final Account account;
    private final String selectedVersion;
@ -523,6 +528,28 @@ public final class LauncherHelper {
                }
            }

+            // CVE-2021-44228 Remote code injection in Log4j
+            if (!suggested) {
+                if (gameVersion.compareTo(VersionNumber.asVersion("1.7")) >= 0 && gameVersion.compareTo(VersionNumber.asVersion("1.18")) <= 0) {
+                    String xmlSha1 = Optional.ofNullable(version.getLogging().get(DownloadType.CLIENT))
+                            .flatMap(loggingInfo -> Optional.of(loggingInfo.getFile()))
+                            .flatMap(idDownloadInfo -> Optional.ofNullable(idDownloadInfo.getSha1()))
+                            .orElse("");
+                    if (gameVersion.compareTo(VersionNumber.asVersion("1.12")) < 0) {
+                        if (UNSAFE_CLIENT_1_7_XML_SHA1.contains(xmlSha1)) {
+                            Controllers.confirm(i18n("launch.advice.log4j_cve_2021_44228"), i18n("message.warning"), continueAction, null);
+                            suggested = true;
+                        }
+                    } else {
+                        if (UNSAFE_CLIENT_1_12_XML_SHA1.contains(xmlSha1)) {
+                            Controllers.confirm(i18n("launch.advice.log4j_cve_2021_44228"), i18n("message.warning"), continueAction, null);
+                            suggested = true;
+                        }
+                    }
+                }
+            }
+
+
            if (!suggested) {
                future.complete(javaVersion);
            }
--- a/HMCL/src/main/resources/assets/lang/I18N.properties
+++ b/HMCL/src/main/resources/assets/lang/I18N.properties
@ -455,6 +455,7 @@ launch.advice.forge28_2_2_optifine=Forge 28.2.2 and later versions are not compa
 launch.advice.java8_1_13=Minecraft 1.13 and later can only run on Java 8 or later.
 launch.advice.java8_51_1_13=Minecraft 1.13 may crash on Java 8 earlier than 1.8.0_51. Please install the latest version of Java 8.
 launch.advice.java9=You cannot launch Minecraft 1.12 or earlier with Java 9 or later versions of Java.
+launch.advice.log4j_cve_2021_44228=The current version has serious security vulnerabilities. If you use it to join the server, your computer may be attacked.\nOfficials has updated the game to fix the vulnerabilities, re-downloading and installing the current version can solve the problem.\nDo you want to continue starting the unsafe version?
 launch.advice.newer_java=Java 8 is recommended to make the game faster. For many Minecraft 1.12 of higher, and most mods, Java 8 is required.
 launch.advice.not_enough_space=You have allocated too much memory, because the physical memory size is %dMB, your game may crash. Shall we continue launching?
 launch.advice.require_newer_java_version=Minecraft %1$s requires Java %2$s or later, are you willing to download one now?
--- a/HMCL/src/main/resources/assets/lang/I18N_zh.properties
+++ b/HMCL/src/main/resources/assets/lang/I18N_zh.properties
@ -455,6 +455,7 @@ launch.advice.forge28_2_2_optifine=Forge 28.2.2 或更高版本與 OptiFine 不
 launch.advice.java8_1_13=Minecraft 1.13 只支援 Java 8 或更高版本，請使用 Java 8 或最新版本。
 launch.advice.java8_51_1_13=低於 1.8.0_51 的 Java 版本可能會導致 Minecraft 1.13 崩潰。建議您到 https://java.com 安裝最新版的 Java 8。
 launch.advice.java9=低於 (包含) 1.13 的有安裝 Mod 的 Minecraft 版本不支援 Java 9 或更高版本，請使用 Java 8。
+launch.advice.log4j_cve_2021_44228=當前版本具有嚴重漏洞，使用它加入服務器會讓您的電腦遭受攻擊。\n官方已經更新修補該漏洞，重新安裝此版本即可修復問題。\n是否要繼續啟動不安全的版本？
 launch.advice.newer_java=偵測到您未使用 Java 8 及更新版本，Java 8 能使遊戲更順暢而且 Minecraft 1.12 及更新版本和很多 Mod 強制需要 Java 8 版本。
 launch.advice.not_enough_space=您設定的記憶體大小過大，由於超過了系統記憶體大小 %dMB，所以可能影響遊戲體驗或無法啟動遊戲。是否繼續啟動？
 launch.advice.require_newer_java_version=Minecraft %1$s 僅能運行在 Java %2$s 或更高版本上，是否下載？
--- a/HMCL/src/main/resources/assets/lang/I18N_zh_CN.properties
+++ b/HMCL/src/main/resources/assets/lang/I18N_zh_CN.properties
@ -455,6 +455,7 @@ launch.advice.forge28_2_2_optifine=Forge 28.2.2 或更高版本与 OptiFine 不
 launch.advice.java8_1_13=Minecraft 1.13 及以上版本只能运行在 Java 8 或更高版本上，请使用 Java 8 或最新版本。
 launch.advice.java8_51_1_13=低于 1.8.0_51 的 Java 版本可能会导致 Minecraft 1.13 崩溃。建议您到 https://java.com 安装 Java 8。
 launch.advice.java9=低于 1.13 的有安装 Mod 的 Minecraft 版本不支持 Java 9 或更高版本，请使用 Java 8。
+launch.advice.log4j_cve_2021_44228=当前版本具有严重漏洞，使用它加入服务器会让您的电脑遭受攻击。\n官方已经更新修补该漏洞，重新安装此版本即可修复问题。\n是否要继续启动不安全的版本？
 launch.advice.newer_java=检测到您未使用 Java 8 及更新版本，Java 8 能使游戏更流畅，而且 Minecraft 1.12 及更新版本和很多 Mod 强制需要 Java 8。
 launch.advice.not_enough_space=您设置的内存大小过大，由于超过了系统内存大小 %dMB，所以可能影响游戏体验或无法启动游戏。是否继续启动？
 launch.advice.require_newer_java_version=Minecraft %1$s 仅能运行在 Java %2$s 或更高版本上，是否下载？