Java Log4j Weakness
There has been a weakness identified in a common Java login library. This weakness affects Java Minecraft servers and clients.
You can find the official statement from Mojang here. Their article also contains the steps you need to take to protect yourself.
Part of the article explains that you need to add certain JVM arguments to your startup command line.This can be done by following the steps below.
1. Log into your Minecraft control panel
2. Click 'Startup Parameters' on the left-hand side menu
3. Click the toggle next to the JVM argument you need to enable (If you do not see the JVM argument, restart your server and it should show up. If you still don't see it, please create a support ticket***)
4. Restart your server
***If you are running 1.17+ you won't see the JVM argument because we already automatically add the correct one by default to the server's startup script. No need to contact us in this case.
Thankfully the Minecraft community is amazing, and most of the server versions have been patched, and do not require any fixes as long as you're running the latest builds. As of the writing of this article, the latest builds of the following versions have all been patched and do not require any fixes.
Bungeecord
Paper Waterfall
CraftBukkit 1.18.1
Fabric Loader 0.12.10+
Forge 1.18 (38.0.17)
Forge 1.17.1 (37.1.1)
Forge 1.16.5 (36.2.20)
Forge 1.15.2 (31.2.56)
Forge 1.14.4 (28.2.25)
Forge 1.13.2 (2.25.0.222)
Forge 1.12.2 (14.23.5.2857)
Paper 1.18.1
Paper 1.18
Paper 1.17.1
Paper 1.16.5
Paper 1.15.2
Paper 1.14.4
Paper 1.13.2
Paper 1.12.2
Paper 1.10.2
Spigot 1.18.1
Spigot 1.18
Spigot 1.17.1
Spigot 1.17
Spigot 1.16.5
Spigot 1.15.2
Spigot 1.14.4
Spigot 1.13.2
Spigot 1.12.2
Spigot 1.11.2
Spigot 1.10.2
Spigot 1.9.4
Spigot 1.8.8
Vanilla 1.7 to 1.18.1
If you are running anything else, it's best to proceed with caution and either update (recommended) or apply the fix mentioned by Mojang.