Hi there,

on the announcement page for Minecraft 1.18.1 it states

This release fixes a critical security issue for multiplayer servers

which I assume references the recent log4j vulnerabilities.

After upgrading to 1.18.1 I noticed that the vulnerable versions are still being shipped! In %APPDATA%/.minecraft/libraries/org/apache/logging/log4j there are the following files:

log4j-api/2.14.1/log4j-api-2.14.1.jar
log4j-core/2.14.1/log4j-core-2.14.1.jar
log4j-slf4j18-impl/2.14.1/log4j-slf4j18-impl-2.14.1.jar

I manually deleted them, restarted the launcher and game. The game automatically re-downloaded them again. I found that %APPDATA%/.minecraft/assets/log_configs/client-1.12.xml now contains a patched PatternLayout

<PatternLayout pattern="[%d{HH:mm:ss}] [%t/%level]: %msg{nolookups}%n" />

But according to the log4j developers, this setting is NOT SUFFICIENT to mitigate the security problem. So please update log4j to a safe version in order to protect your users.