log4j exploit (#199)

* overwrite the log4j config as default
* using java 17 for the latest minecraft server version

Author: nolte

README.md

@@ -21,7 +21,7 @@ This role installs [Minecraft](https://minecraft.net/) or [Spigot](https://www.s
 -  manages ``server.properties``
 -  hooks: include arbitrary tasks at specific stages during execution
 
-### Out of Role Scop
+### Out of Role Scope
 
 - install a *Java Runtime*, this must be done, before you use this Role, you can use [nolte/ansible-role-msopenjdk](https://github.com/nolte/ansible-role-msopenjdk) for example.
 - executing backups and recovery

molecule/latest/molecule.yml

@@ -74,7 +74,7 @@ provisioner:
       minecraftserver:
         user_accept_minecraft_eula: ${mc_accept_eula}
         mc_version: "latest"
-        jdk_used_version: ${JDK_VERSION:-"16"}
+        jdk_used_version: ${JDK_VERSION:-"17"}
   playbooks:
     converge: ../resources/playbooks/playbook.yml
   lint:

tasks/install/main.yml

@@ -25,18 +25,23 @@
     owner: "{{ minecraft_user }}"
     group: "{{ minecraft_group }}"
     mode: 0755
-  when:
-    minecraft_external_log_conf is defined and
-    minecraft_external_log_conf.fileName is defined
+
+ # https://help.minecraft.net/hc/en-us/articles/4416199399693-Security-Vulnerability-in-Minecraft-Java-Edition
+- name: set the default log4j config name
+  set_fact: 
+    _log4j_default_template_file_name: log4j2.xml.j2
+
+- name: set overwrite for special mc versions
+  set_fact: 
+    _log4j_default_template_file_name: log4j2_17-111.xml.j2
+  when: (minecraft_version_int is version('1.7', '>=')) and (minecraft_version_int is version('1.11', '<='))
 
 - name: external logging config
   template:
-    src: "{{ minecraft_external_log_conf.template | default('log4j2.xml.j2') }}"
-    dest: "{{ deploy_helper.shared_path }}/{{ minecraft_external_log_conf.conf_file }}"
+    src: "{{ minecraft_external_log_conf.template | default(_log4j_default_template_file_name) }}"
+    dest: "{{ deploy_helper.shared_path }}/{{ minecraft_external_log_conf.conf_file | default('log4j2.xml') }}"
     owner: "{{ minecraft_user }}"
     group: "{{ minecraft_group }}"
     mode: 0600
-  when:
-    minecraft_external_log_conf is defined
   notify:
     - restart Minecraft

templates/log4j2.xml.j2

@@ -1,29 +1,34 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Configuration>
-	<Appenders>
-
-		<Console name="console" target="SYSTEM_OUT">
-			<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%level] %msg%n" />
-		</Console>
-
-		<RollingRandomAccessFile name="rolling_server_log" fileName="{{ minecraft_external_log_conf.fileName | default('logs/server.log') }}"
-				filePattern="{{ minecraft_external_log_conf.filePattern | default('logs/server_%d{yyyy-MM-dd}.log.gz') }}">
-			<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%level] %msg%n" />
-			<Policies>
-				<TimeBasedTriggeringPolicy />
-				{% if minecraft_external_log_conf.sizeBased is defined -%}
-				<SizeBasedTriggeringPolicy size="{{ minecraft_external_log_conf.sizeBased }}" />
-				{% endif %}
-			</Policies>
-			{% if minecraft_external_log_conf.rollover is defined -%}
-			<DefaultRolloverStrategy max="{{ minecraft_external_log_conf.rollover }}" />
-			{% endif %}
-		</RollingRandomAccessFile>
-	</Appenders>
-	<Loggers>
-		<Root level="info">
-			<AppenderRef ref="rolling_server_log" />
-			<!-- <AppenderRef ref="console" /> -->
-		</Root>
-	</Loggers>
-</Configuration>
+<Configuration status="WARN">
+    <Appenders>
+        <Console name="SysOut" target="SYSTEM_OUT">
+            <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg{nolookups}%n" />
+        </Console>
+        <Queue name="ServerGuiConsole">
+            <PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg{nolookups}%n" />
+        </Queue>
+        <RollingRandomAccessFile name="File" fileName="{{ minecraft_external_log_conf.fileName | default('logs/server.log') }}" filePattern="{{ minecraft_external_log_conf.filePattern | default('logs/server_%d{yyyy-MM-dd}.log.gz') }}">
+            <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg{nolookups}%n" />
+            <Policies>
+                <TimeBasedTriggeringPolicy />
+                <OnStartupTriggeringPolicy />
+                {% if minecraft_external_log_conf.sizeBased is defined -%}
+                <SizeBasedTriggeringPolicy size="{{ minecraft_external_log_conf.sizeBased }}" />
+                {% endif %}
+            </Policies>
+            {% if minecraft_external_log_conf.rollover is defined -%}
+            <DefaultRolloverStrategy max="{{ minecraft_external_log_conf.rollover }}" />
+            {% endif %}
+        </RollingRandomAccessFile>
+    </Appenders>
+    <Loggers>
+        <Root level="info">
+            <filters>
+                <MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
+            </filters>
+            <AppenderRef ref="SysOut" />
+            <AppenderRef ref="File" />
+            <AppenderRef ref="ServerGuiConsole" />
+        </Root>
+    </Loggers>
+</Configuration>

templates/log4j2_17-111.xml.j2

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration status="WARN" packages="com.mojang.util">
+    <Appenders>
+        <Console name="SysOut" target="SYSTEM_OUT">
+            <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
+        </Console>
+        <Queue name="ServerGuiConsole">
+            <PatternLayout pattern="[%d{HH:mm:ss} %level]: %msg%n" />
+        </Queue>
+        <RollingRandomAccessFile name="File" fileName="{{ minecraft_external_log_conf.fileName | default('logs/server.log') }}" filePattern="{{ minecraft_external_log_conf.filePattern | default('logs/server_%d{yyyy-MM-dd}.log.gz') }}">
+            <PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg%n" />
+            <Policies>
+                <TimeBasedTriggeringPolicy />
+                <OnStartupTriggeringPolicy />
+                {% if minecraft_external_log_conf.sizeBased is defined -%}
+                <SizeBasedTriggeringPolicy size="{{ minecraft_external_log_conf.sizeBased }}" />
+                {% endif %}
+            </Policies>
+            {% if minecraft_external_log_conf.rollover is defined -%}
+            <DefaultRolloverStrategy max="{{ minecraft_external_log_conf.rollover }}" />
+            {% endif %}
+        </RollingRandomAccessFile>
+    </Appenders>
+    <Loggers>
+        <Root level="info">
+            <filters>
+                <MarkerFilter marker="NETWORK_PACKETS" onMatch="DENY" onMismatch="NEUTRAL" />
+                <RegexFilter regex="(?s).*\$\{[^}]*\}.*" onMatch="DENY" onMismatch="NEUTRAL" />
+            </filters>
+            <AppenderRef ref="SysOut" />
+            <AppenderRef ref="File" />
+            <AppenderRef ref="ServerGuiConsole" />
+        </Root>
+    </Loggers>
+</Configuration>

templates/minecraft.service.j2

@@ -12,7 +12,7 @@ WorkingDirectory={{ deploy_helper.shared_path }}
 StandardInput=socket
 StandardOutput=journal
 StandardError=journal
-ExecStart={{ minecraft_java }} -Xmx{{ minecraft_max_memory }} -Xms{{ minecraft_initial_memory }} {% if minecraft_external_log_conf is defined %}-Dlog4j.configurationFile={{ minecraft_external_log_conf.conf_file }}{% endif %} {{ minecraft_server_java_ops }} -jar {{ minecraft_jar }} nogui
+ExecStart={{ minecraft_java }} -Xmx{{ minecraft_max_memory }} -Xms{{ minecraft_initial_memory }} -Dlog4j.configurationFile={{ minecraft_external_log_conf.conf_file | default('log4j2.xml') }} -Dlog4j2.formatMsgNoLookups=true {{ minecraft_server_java_ops }} -jar {{ minecraft_jar }} nogui
 ExecStop=/bin/sh -c "echo 'save-all' > {{ minecraft_console_fifo }}"
 ExecStop=/bin/sh -c "echo 'stop' > {{ minecraft_console_fifo }}"
 Restart=on-failure

tox.ini

@@ -59,7 +59,7 @@ setenv =
     fixversion: MC_VERSION = "1.13.1"
     oldversion: MC_VERSION = "1.9"
     latest: MC_VERSION = "latest"
-    latest: JDK_VERSION = "16"
+    latest: JDK_VERSION = "17"
 deps= -r{toxinidir}/requirementsDev.txt
 commands =
     molecule --base-config ./molecule/resources/molecule-maintenance-base.yml --env-file {env:DOCKER_CONFIG_FILE} test -s ci_single_container